I'm working on deploying a wireless environment with 802.1x (PEAP),
using FreeRadius CVS. For optimal network performance and scalability,
I'm planning on my access points running in routing mode instead of
bridged mode which will allow each antenna to have it's own subnet.
User's will be authenticated via 802.1x with FreeRadius against an LDAP
data source. Upon authentication, I'll use iptables to setup accounting
and punch holes in the firewall based on the IP address. In addition,
tc rules / filters will be created for traffic shaping with HTB.
For simplicity, I'm just using the users file to get things working
and tested without worrying about incorrect LDAP queries, parameters,
etc. I have the 802.1x authentication working, however I'm stuck trying
to determine how to handle the IP address allocation. Two options that
I am aware of include: DHCP server or internally managed IP Pools with
FreeRadius.
When using a DHCP server, everything works properly after
authentication since the access points support DHCP relay, so the
proper IP address / subnet is assigned. The problem I'm having is
during a DHCP request I don't know much about the request except for
a MAC address. Since all the authentication has already taken place
via FreeRadius... I don't have any of the necessary information to
dynamically setup the iptables firewall / traffic shaping? Who is this
person? What speed should they be?, etc.? As near as I can tell, in
order for this to happen, I would need to write custom extensions to
the DHCP server (ISC).
Based on the above problem, the simple solution would be to do
everything inside of FreeRadius. Theoretically, I could even use the
EXEC module to punch holes in the firewall and setup the traffic
shaping. Sounds good to me. But so far I'm not having any luck with
the IP address pools. During the EAP session, the rlm_ippool module
returns NOOP with an error that the nas port was not found. I've
tried to add that information with the users attribute, but the
information I've added ends up being contained within the internal
tunnel and the rlm_ippool module still complains about no nas port.
What am I doing wrong? Here is the ippool that I currently have
setup in radius.conf:
ippool test_pool {
range-start = 10.10.11.2
range-stop = 10.10.11.254
netmask = 255.255.255.0
cache-size = 254
session-db = ${raddbdir}/pool/10.10.11.0.ippool
ip-index = ${raddbdir}/pool/10.10.11.0.ipindex
override = no
}
I originally tried setting the Pool-Name based on the NAS-IP-Address,
since I don't want to have to define this information on a per person
basis, but when doing that, I get a Pool-Name not found error.
DEFAULT NAS-IP-Address == 10.10.10.2, Pool-Name := "test_pool"
Framed-Route = "10.10.11.0/24 10.10.11.1 1",
Framed-IP-Netmask = 255.255.255.0,
MS-Primary-DNS-Server = 10.10.10.1
I then tried adding all the information to a user attribute, which
got me past the Pool-Name error, but instead I started to receive
nas port not defined errors.
username User-Password == "password", Pool-Name := "test_pool"
Framed-Route = "10.10.11.0/24 10.10.11.1 1",
Framed-IP-Netmask = 255.255.255.0,
MS-Primary-DNS-Server = 10.10.10.1
Using the ippool module with a simple radtest command works correctly.
Is it possible to use the ippool module with EAP? If so, what attributes
or DEFAULT settings do I need to apply to make it work. In addition, is
it possible to set / send DNS server settings and route information to
automatically configure the network card. I've searched the mailing
lists and Internet in general, but I haven't found an answer to my
problem.
Before I hurt myself and code the DHCP extensions, does anyone know
what I might be doing wrong with the rlm_ippool module and / or user
settings. Or is there some other alternative that I haven't considered?
If I can avoid having to dust off the C programming manual, that would
be great.
George
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
