I'm working on deploying a wireless environment with 802.1x (PEAP), using FreeRadius CVS. For optimal network performance and scalability, I'm planning on my access points running in routing mode instead of bridged mode which will allow each antenna to have it's own subnet. User's will be authenticated via 802.1x with FreeRadius against an LDAP data source. Upon authentication, I'll use iptables to setup accounting and punch holes in the firewall based on the IP address. In addition, tc rules / filters will be created for traffic shaping with HTB.
For simplicity, I'm just using the users file to get things working and tested without worrying about incorrect LDAP queries, parameters, etc. I have the 802.1x authentication working, however I'm stuck trying to determine how to handle the IP address allocation. Two options that I am aware of include: DHCP server or internally managed IP Pools with FreeRadius. When using a DHCP server, everything works properly after authentication since the access points support DHCP relay, so the proper IP address / subnet is assigned. The problem I'm having is during a DHCP request I don't know much about the request except for a MAC address. Since all the authentication has already taken place via FreeRadius... I don't have any of the necessary information to dynamically setup the iptables firewall / traffic shaping? Who is this person? What speed should they be?, etc.? As near as I can tell, in order for this to happen, I would need to write custom extensions to the DHCP server (ISC). Based on the above problem, the simple solution would be to do everything inside of FreeRadius. Theoretically, I could even use the EXEC module to punch holes in the firewall and setup the traffic shaping. Sounds good to me. But so far I'm not having any luck with the IP address pools. During the EAP session, the rlm_ippool module returns NOOP with an error that the nas port was not found. I've tried to add that information with the users attribute, but the information I've added ends up being contained within the internal tunnel and the rlm_ippool module still complains about no nas port. What am I doing wrong? Here is the ippool that I currently have setup in radius.conf: ippool test_pool { range-start = 10.10.11.2 range-stop = 10.10.11.254 netmask = 255.255.255.0 cache-size = 254 session-db = ${raddbdir}/pool/10.10.11.0.ippool ip-index = ${raddbdir}/pool/10.10.11.0.ipindex override = no } I originally tried setting the Pool-Name based on the NAS-IP-Address, since I don't want to have to define this information on a per person basis, but when doing that, I get a Pool-Name not found error. DEFAULT NAS-IP-Address == 10.10.10.2, Pool-Name := "test_pool" Framed-Route = "10.10.11.0/24 10.10.11.1 1", Framed-IP-Netmask = 255.255.255.0, MS-Primary-DNS-Server = 10.10.10.1 I then tried adding all the information to a user attribute, which got me past the Pool-Name error, but instead I started to receive nas port not defined errors. username User-Password == "password", Pool-Name := "test_pool" Framed-Route = "10.10.11.0/24 10.10.11.1 1", Framed-IP-Netmask = 255.255.255.0, MS-Primary-DNS-Server = 10.10.10.1 Using the ippool module with a simple radtest command works correctly. Is it possible to use the ippool module with EAP? If so, what attributes or DEFAULT settings do I need to apply to make it work. In addition, is it possible to set / send DNS server settings and route information to automatically configure the network card. I've searched the mailing lists and Internet in general, but I haven't found an answer to my problem. Before I hurt myself and code the DHCP extensions, does anyone know what I might be doing wrong with the rlm_ippool module and / or user settings. Or is there some other alternative that I haven't considered? If I can avoid having to dust off the C programming manual, that would be great. George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html