Jul 22 2008
Feedback on Freeradius IP Pools
If you wonder if you should use rlm_ippool or rlm_sqlippool to turn your Radius into a “DHCP” server, read on!
rlm_ippool
We first configured Freeradius to provide IP addresses through the ippool module. IPs are stored internally in a binary data file.
radiusd.conf
ippool main_pool {
range-start = 192.168.0.2
range-stop = 192.168.0.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = yes
maximum-timeout = 0
accounting {
main_pool
}
post-auth {
main_pool
}
Users
In users, we’ve got:
DEFAULT Pool-Name := main_pool
Fall-Through = YesOn startup, db.ippool and db.ipindex are created in the configuration directory.
Test
lease-duration is set to 10 in sqlippool.conf for testing purposes. IPs should be released after 10 seconds.
# Let’s check the normal behaviour
echo “Connecting user test…”
echo “User-Name=\”test\”,User-Password=\”test\”,NAS-IP-Address=\”127.0.0.1\”,
NAS-Port=0″ | radclient localhost:1812 auth testing123
echo “User-Name=\”test\”,Acct-Session-Id=\”6000006B\”,Acct-Status-Type=\”Start\”,
NAS-IP-Address=\”127.0.0.1\”,NAS-Port=0″| radclient localhost:1813 acct testing123
# Checking number of IPs delivered – Should be 1
rlm_ippool_tool -c etc/raddb/db.ippool etc/raddb/db.ipindex
=> 1
echo “Disconnecting user test”
echo “User-Name=\”test\”,Acct-Session-Id=\”6000006B\”,Acct-Status-Type=\”Stop\”,
NAS-IP-Address=\”127.0.0.1\”,NAS-Port=0″| radclient localhost:1813 acct testing123
# Checking number of IPs delivered – Should be 0
rlm_ippool_tool -c etc/raddb/db.ippool etc/raddb/db.ipindex
=> 0 – Good!
# Let’s check the lease timeout
echo “Connecting user test…”
echo “User-Name=\”test\”,User-Password=\”test\”,NAS-IP-Address=\”127.0.0.1\”,
NAS-Port=0″ | radclient localhost:1812 auth testing123
echo “User-Name=\”test\”,Acct-Session-Id=\”6000006B\”,Acct-Status-Type=\”Start\”,
NAS-IP-Address=\”127.0.0.1\”,NAS-Port=0″| radclient localhost:1813 acct testing123
rlm_ippool_tool -c etc/raddb/db.ippool etc/raddb/db.ipindex
=> 1
# We wait till the lease times out
sleep 11
rlm_ippool_tool -c etc/raddb/db.ippool etc/raddb/db.ipindex
=> 1
The timeout isn’t working!
rlm_sqlippool
radiusd.conf
Upgrade first to Freeradius 1.1.7 or later and make the following changes to radiusd.conf:
Uncomment “$INCLUDE ${confdir}/sqlippool.conf”, remove main_pool and add sqlippool in the accounting and post-auth sections.
accounting {
sqlippool
}
post-auth {
sqlippool
}
users
DEFAULT Pool-Name := main_pool
Fall-Through = Yes
SQL IP Pool Creation
Add the radippool table structure in the Mysql database if necessary (included in FR):
#
# Table structure for table 'radippool'
#
CREATE TABLE radippool (
id int(11) unsigned NOT NULL auto_increment,
pool_name varchar(30) NOT NULL,
FramedIPAddress varchar(15) NOT NULL default '',
NASIPAddress varchar(15) NOT NULL default '',
CalledStationId VARCHAR(30) NOT NULL,
CallingStationID VARCHAR(30) NOT NULL,
expiry_time DATETIME NOT NULL default '0000-00-00 00:00:00',
username varchar(64) NOT NULL default '',
pool_key varchar(30) NOT NULL,
PRIMARY KEY (id)
);
and add the file sqlippool.conf (provided in 1.1.7 and later)
Add the IP pool in the base
INSERT INTO radippool (pool_name, framedipaddress) VALUES ('main_pool','192.168.0.1');
INSERT INTO radippool (pool_name, framedipaddress) VALUES ('main_pool','192.168.0.2');
[...]
Results
Doing the same tests with the SQL IP pool configuration gives correct results. IPs are released after 10 seconds.
rlm_ippool catches more and more IPs and the pool fills up. In the end, you need to reset the pool and the customers’ connections, meaning downtime!
On the other hand, SQLippool is interesting if you have several Radius servers serving the same customers. IP pools are managed on the database side, which is convenient.
Hey…thanks a lot for the info. It really helped.
Hi,
First, i wanna thank you for your article.
But i I wonder that how can i test this.
I have some radius test util.
But I dont know how can i get my test util an IP address from pool?
Regards…
Hi, not sure I understood correctly.
Freeradius hands out IP addresses to the NAS.
The NAS distributes this same IP to the client.
You can see the delivered IP address in Freeradius logs.
You can also setup an environment in a lab with a NAS and a client.
The radius client behaves as a NAS, which is a Radius client, different from the client that connects to the NAS.
Nice site ….)
You didn’t mentioned that for the IP pool assignment usinf the 1st method one should un comment main_pool in post-auth section of file /etc/freeradius/sites-available/default.
Also the configuration of ip pool is not being done in radiusd.conf but there is separate file in /etc/freeradius/modules/ippool where is the configuration of pools (but it is probably the version of Radius I’m using). Great post tho and helped me a lot, but maybe someone else will face the same issues as i did and it will save him some time 🙂
Thanks Mariusz for the update.
You’re right, these are changes related to new versions.
I wrote this post when Freeradius didn’t support virtual sites yet
Despite of rlm_ippool’s problem with timeouts, rlm_SQLippool has a even bigger problem when you’ve got lots of simultaneous users trying to get a IP address.
I’ve experienced this problem with freeradius/mysql. rlm_SQLippool hands out duplicated IPs for different users.
I’ve read this does’nt happen with postgresql, but I have not had the opportunity to test.