Re: dhcp sqlippool reauthenticate users every minute

[Alan DeKok]

Ethan Hayon wrote:
 Yes, MAC address is unique for each user. The MAC should be a unique 
 identifier when assigning IP's.

  That's the goal.

 Yes, the NAS is sending accounting data. This is what redacct looks like 
 (some columns omitted)

  That seems OK.

 Right now, I'm thinking there is a mismatch either in the nasipaddress or 
 some other attribute. The NAS has a WAN ip of 98.109.201.89 and a LAN IP of 
 192.168.1.1. The RADIUS server is on LAN at 192.168.1.2. I have noticed that 
 sometimes the nasipaddress appears as 192.168.1.1 and other times as 
 98.109.201.89. I think I am going to start with a fresh install of 
 freeradius. I messed with too many queries (such as adjusting the Pool-Key) 
 and I am worried that I have created a mess. 

  Well, start over.  See man radiusd.  Change one thing at a time.
Get it working.  Once it's working, change something else.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

dhcp sqlippool reauthenticate users every minute

[Ethan Hayon]

Hi, I'm trying to set up FreeRADIUS 2.2 to act as an authentication and 
accounting system as well as a DHCP server. (I'm relaying DHCP requests from a 
pfSense box).

I am trying to use sqlippools on FreeRADIUS, but I have noticed that my ippools 
are filling up quickly (I am only testing with two devices). I have pfSense 
configured to reauthenticate user every minute, so I believe that FreeRADIUS is 
running post-auth dhcp leasing each time the user is reauthenticated. 
FreeRADIUS is serving the same client a new IP address each minute. 

I have adjusted my policy conf to the below. I may be approaching this the 
wrong way, but this is essentially what I am trying to do:

I want to have multiple pools on different subnets. When a new client connects 
to the network (they don't yet have a radius account) they are sent to a 
default (pending) pool. This may be on the 192.168.1/24 subnet. After they have 
set up their account and have been added to the RADIUS database, they will be 
given a pool-name, maybe `pool2`. `pool2` will be on a different subnet, for 
example, 192168.2/24. The pfsense box knows how to route these subnets, so that 
is not a problem. I only want clients to receive a different IP address if 
their pool-name changes for whatever reason, if there are no changes to their 
account, they shouldn't be leased a new IP every time they reauthenticate 
(every minute).

Eventually I will disable the reauthenticate every minute feature as the 
production system would not be able to handle this many requests. 

Am I approaching this problem correctly? I have written some un-lang in the 
policy.conf file for handling some of this. I am getting hung up on this 
problem. The pool is getting exhausted in minutes since each client is leased a 
new ip every minute.

Any help is appreciated!
Thanks,
Ethan

….
dhcp_sqlippool.post-auth {
#  Do some minor hacks to the request so that it looks
#  like a RADIUS request to the SQL IP Pool module.

# check whether the requester is a user or not, if they do not 
have a pool-name, send them to pfpriv by default
if(%{sql: SELECT COUNT(*) FROM radcheck where 
username='%{DHCP-Client-Hardware-Address}' AND attribute='Pool-Name'} != 0) {
update control {
Pool-Name := %{sql: SELECT `value` FROM 
radcheck WHERE username = '%{DHCP-Client-Hardware-Address}' AND 
attribute='Pool-Name'}
} 
}
else {
update control {
Pool-Name := pfpriv # default pool if the 
user doesn't have an account
}
}

update reply {
DHCP-Domain-Name-Server = 192.168.1.1 # we will 
ultimately create a mysql table `radpoolinfo` to store per-pool attributes
DHCP-Router-Address = 192.168.0.1 # this will also be 
in `radpoolinfo` eventually
}   
 update request {
User-Name = DHCP-%{DHCP-Client-Hardware-Address}
Calling-Station-Id = %{DHCP-Client-Hardware-Address}
NAS-IP-Address = 
%{%{DHCP-Gateway-IP-Address}:-127.0.0.1}
Acct-Status-Type = Start
 }

#  Call the actual module
#
#  Uncomment this in order to really call it!
dhcp_sqlippool
#fail

#  Convert Framed-IP-Address to DHCP, but only if we
#  actually allocated an address.
if (ok) {
update reply {
DHCP-Your-IP-Address = 
%{reply:Framed-IP-Address}
}
}
}
…
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: dhcp sqlippool reauthenticate users every minute

[Alan DeKok]

Ethan Hayon wrote:
 Hi, I'm trying to set up FreeRADIUS 2.2 to act as an authentication and 
 accounting system as well as a DHCP server. (I'm relaying DHCP requests from 
 a pfSense box).

  Are you doing DHCP *and* RADIUS?

 I am trying to use sqlippools on FreeRADIUS, but I have noticed that my 
 ippools are filling up quickly (I am only testing with two devices). I have 
 pfSense configured to reauthenticate user every minute, so I believe that 
 FreeRADIUS is running post-auth dhcp leasing each time the user is 
 reauthenticated. FreeRADIUS is serving the same client a new IP address each 
 minute. 

  There's no need to believe anything.  Run the server in debugging
mode to see exactly what it's doing.

  Any IP allocation MUST be done on a key which is unique to each
device.  That key should remain the same across multiple re-authentications.

  So... is it?  Please check.

 I want to have multiple pools on different subnets. When a new client 
 connects to the network (they don't yet have a radius account) they are sent 
 to a default (pending) pool. This may be on the 192.168.1/24 subnet. After 
 they have set up their account and have been added to the RADIUS database, 
 they will be given a pool-name, maybe `pool2`. `pool2` will be on a different 
 subnet, for example, 192168.2/24. The pfsense box knows how to route these 
 subnets, so that is not a problem. I only want clients to receive a different 
 IP address if their pool-name changes for whatever reason, if there are no 
 changes to their account, they shouldn't be leased a new IP every time they 
 reauthenticate (every minute).

  This is what databases are for.  If you want to map each client to a
pool, you'll need a table with a client identifier column, and a
pool-name column.  Then, assign IPs based on the pool name, as looked
up in the table.

 Am I approaching this problem correctly? I have written some un-lang in the 
 policy.conf file for handling some of this. I am getting hung up on this 
 problem. The pool is getting exhausted in minutes since each client is leased 
 a new ip every minute.

  Solve that problem first.  Run the server in debugging mode to see
*why* it's assigning a new IP.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: dhcp sqlippool reauthenticate users every minute

[Ethan Hayon]

Thanks for the response Alan.

I am using DHCP and RADIUS. I was initially using FreeRADIUS for captive portal 
user authentication and accounting for a pfsense router (using the DHCP server 
built into the pfsense box). The DHCP server on pfsense limits us to only 
serving IPs on a singe subnet. 
We are now trying to use FreeRADIUS as a DHCP server as well by associating 
user accounts with ippools through Pool-Name. 

When I run the server in debug mode the Acct-Unique-Session-ID remains the same 
across the interim accounting updates. However, re-authentications don't seem 
to have a unique key associated with them. 
Each time the user is reauthenticated, dhcp_sqlippool.post-auth is triggered 
and the script I added is executed. I plan to create a table radippoolinfo that 
will store ip pool specific info such as router address, net mask, dns servers, 
etc…

In my post-auth policy, I am updating control with the proper pool-name (with 
an unlang), changing some other reply attributes, then calling dhcp_sqlippool. 
What I am doing doesn't feel right. I am very new to this, does this sound like 
the proper way of handling the serving of ip's on multiple subnets. 
DHCP-Domain-Name-Server and DHCP-Router-Address will change between pools. 

I guess I'm asking if I am approaching this correctly: Using unlang in 
policy.conf to handle these rules. 


Sorry to put such a long debug message in here. I pulled out one authorization 
request, but they all look the same. It looks like 

This is what my authorization looks like:

The request comes in with a framed ip of 192.168.0.43, but it tries to serve it 
192.168.0.50. It reallocates a new IP for each auth every minute.

rad_recv: Access-Request packet from host 192.168.1.1 port 7053, id=32, 
length=142
NAS-IP-Address = [redacted]
NAS-Identifier = pfsense.localdomain
User-Name = b8:8d:12:10:8d:f6
User-Password = [redacted]
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 30
Framed-IP-Address = 192.168.0.43
Called-Station-Id = [redacted]
Calling-Station-Id = b8:8d:12:10:8d:f6
Thu Jan 10 23:53:34 2013 : Info: # Executing section authorize from file 
/usr/local/etc/raddb/sites-enabled/default
Thu Jan 10 23:53:34 2013 : Info: +- entering group authorize {...}
Thu Jan 10 23:53:34 2013 : Info: ++[preprocess] returns ok
Thu Jan 10 23:53:34 2013 : Info: ++[chap] returns noop
Thu Jan 10 23:53:34 2013 : Info: ++[mschap] returns noop
Thu Jan 10 23:53:34 2013 : Info: ++[digest] returns noop
Thu Jan 10 23:53:34 2013 : Info: [suffix] No '@' in User-Name = 
b8:8d:12:10:8d:f6, looking up realm NULL
Thu Jan 10 23:53:34 2013 : Info: [suffix] No such realm NULL
Thu Jan 10 23:53:34 2013 : Info: ++[suffix] returns noop
Thu Jan 10 23:53:34 2013 : Info: [eap] No EAP-Message, not doing EAP
Thu Jan 10 23:53:34 2013 : Info: ++[eap] returns noop
Thu Jan 10 23:53:34 2013 : Info: [files] users: Matched entry DEFAULT at line 93
Thu Jan 10 23:53:34 2013 : Info: ++[files] returns ok
Thu Jan 10 23:53:34 2013 : Info: [sql]  expand: %{User-Name} - 
b8:8d:12:10:8d:f6
Thu Jan 10 23:53:34 2013 : Info: [sql] sql_set_user escaped user -- 
'b8:8d:12:10:8d:f6'
Thu Jan 10 23:53:34 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 0
Thu Jan 10 23:53:34 2013 : Info: [sql]  expand: SELECT id, username, attribute, 
value, op   FROM radcheck   WHERE username = '%{SQL-User-Name}' 
  ORDER BY id - SELECT id, username, attribute, value, op   
FROM radcheck   WHERE username = 'b8:8d:12:10:8d:f6'   ORDER BY 
id
Thu Jan 10 23:53:34 2013 : Info: [sql] User found in radcheck table
Thu Jan 10 23:53:34 2013 : Info: [sql]  expand: SELECT id, username, attribute, 
value, op   FROM radreply   WHERE username = '%{SQL-User-Name}' 
  ORDER BY id - SELECT id, username, attribute, value, op   
FROM radreply   WHERE username = 'b8:8d:12:10:8d:f6'   ORDER BY 
id
Thu Jan 10 23:53:34 2013 : Info: [sql]  expand: SELECT groupname   FROM 
radusergroup   WHERE username = '%{SQL-User-Name}'   ORDER BY 
priority - SELECT groupname   FROM radusergroup   WHERE 
username = 'b8:8d:12:10:8d:f6'   ORDER BY priority
Thu Jan 10 23:53:34 2013 : Debug: rlm_sql (sql): Released sql socket id: 0
Thu Jan 10 23:53:34 2013 : Info: ++[sql] returns ok
Thu Jan 10 23:53:34 2013 : Info: ++[expiration] returns noop
Thu Jan 10 23:53:34 2013 : Info: ++[logintime] returns noop
Thu Jan 10 23:53:34 2013 : Info: [pap] WARNING: Auth-Type already set.  Not 
setting to PAP
Thu Jan 10 23:53:34 2013 : Info: ++[pap] returns noop
Thu Jan 10 23:53:34 2013 : Info: Found Auth-Type = Accept
Thu Jan 10 23:53:34 2013 : Info: Auth-Type = Accept, accepting the user
Thu 

Re: dhcp sqlippool reauthenticate users every minute

[Alan DeKok]

Ethan Hayon wrote:
 When I run the server in debug mode the Acct-Unique-Session-ID remains
 the same across the interim accounting updates. However,
 re-authentications don't seem to have a unique key associated with them. 

  That makes no sense.  There is *nothing* unique to each user you can
key off of?  Name?  MAC address?

 In my post-auth policy, I am updating control with the proper pool-name
 (with an unlang), changing some other reply attributes, then calling
 dhcp_sqlippool. What I am doing doesn't /feel/ right. I am very new to
 this, does this sound like the proper way of handling the serving of
 ip's on multiple subnets. DHCP-Domain-Name-Server and
 DHCP-Router-Address will change between pools. 

  Get one thing working first.  Only then look at the next thing.

 I guess I'm asking if I am approaching this correctly: Using unlang in
 policy.conf to handle these rules. 

  unlang is for policy rules.  Databases are for data.  You've got some
kind of mixup between the two.

 Sorry to put such a long debug message in here. I pulled out one
 authorization request, but they all look the same. It looks like 

  They don't all look the same.  They contain different information for
each user.  How else does the server tell users apart?

 This is what my authorization looks like:
 
 The request comes in with a framed ip of 192.168.0.43, but it tries to
 serve it 192.168.0.50.

  The default queries use Calling-Station-Id to track IP addresses.
They *also* assume that the NAS sends accounting packets, so that each
user has an accounting entry in SQL.

 It reallocates a new IP for each auth every minute.

  Probably because the NAS isn't sending accounting data.  So the IP is
never tracked in SQL.

  So... did you look in the SQL database to see what's there?  Is it
tracking the IP?  Does the user have an accounting record?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: dhcp sqlippool reauthenticate users every minute

[Ethan Hayon]

On Jan 11, 2013, at 6:38 PM, Alan DeKok al...@deployingradius.com wrote:

Hi Alan, Thanks for the response

 Ethan Hayon wrote:
 When I run the server in debug mode the Acct-Unique-Session-ID remains
 the same across the interim accounting updates. However,
 re-authentications don't seem to have a unique key associated with them. 
 
  That makes no sense.  There is *nothing* unique to each user you can
 key off of?  Name?  MAC address?

Yes, MAC address is unique for each user. The MAC should be a unique identifier 
when assigning IP's.

 
 In my post-auth policy, I am updating control with the proper pool-name
 (with an unlang), changing some other reply attributes, then calling
 dhcp_sqlippool. What I am doing doesn't /feel/ right. I am very new to
 this, does this sound like the proper way of handling the serving of
 ip's on multiple subnets. DHCP-Domain-Name-Server and
 DHCP-Router-Address will change between pools. 
 
  Get one thing working first.  Only then look at the next thing.
Good point

 
 I guess I'm asking if I am approaching this correctly: Using unlang in
 policy.conf to handle these rules. 
 
  unlang is for policy rules.  Databases are for data.  You've got some
 kind of mixup between the two.

Sorry for the misunderstanding. I understand this. I'm just making sure it is 
normal to use unlang in the policy.conf to perform sql queries and use the 
results to build up a response. Again, I need to get this working before 
worrying about that.

 
 Sorry to put such a long debug message in here. I pulled out one
 authorization request, but they all look the same. It looks like 
 
  They don't all look the same.  They contain different information for
 each user.  How else does the server tell users apart?

I am only using one device right now, so the auth requests look the same, hence 
why I only included one below. The auth requests will look different if i 
introduce more devices into the system.

 
 This is what my authorization looks like:
 
 The request comes in with a framed ip of 192.168.0.43, but it tries to
 serve it 192.168.0.50.
 
  The default queries use Calling-Station-Id to track IP addresses.
 They *also* assume that the NAS sends accounting packets, so that each
 user has an accounting entry in SQL.
 
 It reallocates a new IP for each auth every minute.
 
  Probably because the NAS isn't sending accounting data.  So the IP is
 never tracked in SQL.
 
  So... did you look in the SQL database to see what's there?  Is it
 tracking the IP?  Does the user have an accounting record?

Yes, the NAS is sending accounting data. This is what redacct looks like (some 
columns omitted)

+---+--+--+---+---+---+-+-+
| radacctid | acctsessionid| acctuniqueid | username  | 
nasipaddress  | callingstationid  | calledstationid | framedipaddress |
+---+--+--+---+---+---+-+-+
|17 | 9e90e1a3b02da713 | 068649e121f096f2 | b8:8d:12:10:8d:f6 | 
98.109.201.89 | b8:8d:12:10:8d:f6 | 98.109.201.89   | 192.168.0.40|
|18 | 61ebc2f61333e8d4 | 857f2f856c1ea384 | b8:8d:12:10:8d:f6 | 
98.109.201.89 | b8:8d:12:10:8d:f6 | 98.109.201.89   | 192.168.0.43|
|19 | a8aed7c0d9ce3bd1 | 541ef5a9672cc6e7 | b8:8d:12:10:8d:f6 | 
98.109.201.89 | b8:8d:12:10:8d:f6 | 98.109.201.89   | 192.168.0.43|
|20 | 5bd18f3ccb1edf8a | e3c55f048d9a680b | b8:8d:12:10:8d:f6 | 
98.109.201.89 | b8:8d:12:10:8d:f6 | 98.109.201.89   | 192.168.0.43|
|21 | 72ad87c6b43a08b4 | e427b47f54737c4f | b8:8d:12:10:8d:f6 | 
98.109.201.89 | b8:8d:12:10:8d:f6 | 98.109.201.89   | 192.168.0.43|
|22 | bff889e83c3b469b | 70ec2fe5fa197bcc | b8:8d:12:10:8d:f6 | 
98.109.201.89 | b8:8d:12:10:8d:f6 | 98.109.201.89   | 192.168.0.43|
+---+--+--+---+---+---+-+-+

So there is an accounting record for each user and each user session.

Right now, I'm thinking there is a mismatch either in the nasipaddress or some 
other attribute. The NAS has a WAN ip of 98.109.201.89 and a LAN IP of 
192.168.1.1. The RADIUS server is on LAN at 192.168.1.2. I have noticed that 
sometimes the nasipaddress appears as 192.168.1.1 and other times as 
98.109.201.89. I think I am going to start with a fresh install of freeradius. 
I messed with too many queries (such as adjusting the Pool-Key) and I am 
worried that I have created a mess. 

Ethan Hayon

 
  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html