IP Pool management and Re-authentication

Discussion:

Thibault Le Meur

2007-03-20 17:11:12 UTC

Hi,

I'm using a system (openvpn) with 'radiusplugin' to let FR authenticate
users and manage IP Pools.

Openvpn sometimes needs to renegotiate the connections and thus sends
authentication requests while the connection is still active (with an
already assigned IP address): this causes FR to assign a new IP address from
the pool (which seems normal since FR has no way to know this is a
renegotiation).

I'd like to patch the openvpn-radiusplugin so that an extra attribute is
sent in the Access-Accept packets so that FR will be able to differentiate
Initial and Renegociation Access-Accept requests and only assign new IP
address from the pool on Initial Access-Accept requests.

Do you know a standard Radius attribute that could be used for this ?
As far as you know, are there other NASes using such a quirk ? Does this
make sense ?

Thanks in advance,
Thibault

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok

2007-03-20 17:22:24 UTC

Permalink

Post by Thibault Le Meur
Openvpn sometimes needs to renegotiate the connections and thus sends
authentication requests while the connection is still active (with an
already assigned IP address): this causes FR to assign a new IP address from
the pool (which seems normal since FR has no way to know this is a
renegotiation).

So why isn't the radiusplugin telling FreeRADIUS what the old IP
address was?

Post by Thibault Le Meur
I'd like to patch the openvpn-radiusplugin so that an extra attribute is
sent in the Access-Accept packets so that FR will be able to differentiate
Initial and Renegociation Access-Accept requests and only assign new IP
address from the pool on Initial Access-Accept requests.

I think you mean Access-Request packet. If it doesn't have a
Framed-IP-Address attribute, FreeRADIUS can allocate & send one in an
Access-Accept. If openvpn re-authenticates a session with an existing
IP address, it should send Framed-IP-Address in the Access-Request.

Post by Thibault Le Meur
Do you know a standard Radius attribute that could be used for this ?
As far as you know, are there other NASes using such a quirk ? Does this
make sense ?

It makes sense.

Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Thibault Le Meur

2007-03-20 17:42:03 UTC

Permalink

Thanks for your reply,

Post by Thibault Le Meur

Post by Thibault Le Meur
Openvpn sometimes needs to renegotiate the connections and

thus sends

Post by Thibault Le Meur
authentication requests while the connection is still

active (with an

Post by Thibault Le Meur
already assigned IP address): this causes FR to assign a new IP
address from the pool (which seems normal since FR has no

way to know

Post by Thibault Le Meur
this is a renegotiation).

So why isn't the radiusplugin telling FreeRADIUS what the
old IP address was?

Because It's still beta ;-), I can fix this

Post by Thibault Le Meur

Post by Thibault Le Meur
I'd like to patch the openvpn-radiusplugin so that an extra

attribute

Post by Thibault Le Meur
is sent in the Access-Accept packets so that FR will be able to
differentiate Initial and Renegociation Access-Accept requests and
only assign new IP address from the pool on Initial Access-Accept
requests.

I think you mean Access-Request packet.

Sorry for the mistake, I meant Access-Request of course

Post by Thibault Le Meur
If it doesn't have
a Framed-IP-Address attribute, FreeRADIUS can allocate & send
one in an Access-Accept.
If openvpn re-authenticates a
session with an existing IP address, it should send
Framed-IP-Address in the Access-Request.

I get you right, my patch may be as easy as to make radiusplugin add the
Framed-IP-Address attribute in the Access-Request packet with the already
assigned IP Address when it is a renegotiation.

Thanks a lot Alan.

Regards,
Thibault

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Thibault Le Meur

2007-03-21 14:56:03 UTC

Permalink

Hi Alan,

Post by Thibault Le Meur

Post by Thibault Le Meur
I'd like to patch the openvpn-radiusplugin so that an extra

attribute

Post by Thibault Le Meur
is sent in the Access-Accept packets so that FR will be able to
differentiate Initial and Renegociation Access-Accept

requests and

Post by Thibault Le Meur

Post by Thibault Le Meur
only assign new IP address from the pool on Initial Access-Accept
requests.

I think you mean Access-Request packet.

Sorry for the mistake, I meant Access-Request of course

I get you right, my patch may be as easy as to make
radiusplugin add the Framed-IP-Address attribute in the
Access-Request packet with the already assigned IP Address
when it is a renegotiation.

I've patched the radiusplugin to add Framed-IP-Address to the re-auth
request but rlm_ippool still allocates a new IP Address (I'm using FR
1.1.4).

I can see this in radiusd -X:
modcall: entering group postauth.ovpn for request 3
rlm_ippool: Searching for an entry for nas/port: 192.168.1.1/1
rlm_ippool: Found a stale entry for ip/port: 10.1.1.1/1
rlm_ippool: num: 0
rlm_ippool: Searching for an entry for nas/port: 192.168.1.1/1
rlm_ippool: Allocating ip to nas/port: 192.168.1.1/1
rlm_ippool: num: 1
rlm_ippool: Allocated ip 10.1.1.2 to client on nas 192.168.1.1,port 1
modcall[post-auth]: module "Ovpn_Main_Pool" returns ok for request 3

Where:
* 192.168.1.1 is the NAS IP Address
* 10.1.1.1 is the IP address allocated at connection time
* 10.1.1.2 is the IP address allocated at re-authentication time

Maybe I didn't understand you well:
* Is rlm_ippool supposed to return NOOP if a Framed-IP-Address attribute is
present in the Request ?
OR
* is it up to me to bypass the rlm_ippool (by setting another
Post-Auth-Type) when a Re-Auth Request is performed (that is to say when a
Framed-IP-Address attribute is present in the Request) ?

Thanks in advance,
Thibault

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok

2007-03-21 15:32:14 UTC

Permalink

Post by Thibault Le Meur
I've patched the radiusplugin to add Framed-IP-Address to the re-auth
request but rlm_ippool still allocates a new IP Address (I'm using FR
1.1.4).

Ok. It seems like rlm_ippool should be updated to look for
Framed-IP-Address in the request.

That would be very useful, and would solve the problem you're seeing.

Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Thibault Le Meur

2007-03-21 15:57:13 UTC

Permalink

Post by Thibault Le Meur

Post by Thibault Le Meur
I've patched the radiusplugin to add Framed-IP-Address to

the re-auth

Post by Thibault Le Meur
request but rlm_ippool still allocates a new IP Address

(I'm using FR

Post by Thibault Le Meur
1.1.4).

Ok. It seems like rlm_ippool should be updated to look for
Framed-IP-Address in the request.
That would be very useful, and would solve the problem
you're seeing.
Alan DeKok.

Do you mean updated (to 1.1.5) or patched ?

I made a quick diff between rlm_ippool.c from 1.1.4 and 1.1.5 and I can't
see any difference so I think the problem I'm seeing is still present in
1.1.5.

Regards,
Thibault

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Jan Mulders

2007-03-21 16:53:23 UTC

Permalink

I've been using OpenVPN + Ralf's Radiusplugin for several months and
recently moved away from server-side IP assignment. However, while I did use
it, I found that in my configuration FreeRADIUS only assigned new IPs when
the accounting for that user had stopped (ie, if it recieved a STOP packet).
This meant, that once I'd crashed the openvpn server 3 times with users on
it :-) there were many IP's who were 'lost' - their sessions had never
ended, hence the IP was never returned to the pool.

I was doing renegotiation every 20 minutes if I remember correctly, and the
freeradius replied with the same IP for the user time and time again. Hence,
I'm beginning to wonder if it's configuration-specific, because I didn't
have any problems.

Hope this helps,

Jan

Post by Thibault Le Meur

Post by Thibault Le Meur
I've patched the radiusplugin to add Framed-IP-Address to

the re-auth

Post by Thibault Le Meur
request but rlm_ippool still allocates a new IP Address

(I'm using FR

Post by Thibault Le Meur
1.1.4).

Ok. It seems like rlm_ippool should be updated to look for
Framed-IP-Address in the request.
That would be very useful, and would solve the problem
you're seeing.
Alan DeKok.

Do you mean updated (to 1.1.5) or patched ?
I made a quick diff between rlm_ippool.c from 1.1.4 and 1.1.5 and I can't
see any difference so I think the problem I'm seeing is still present in
1.1.5.
Regards,
Thibault
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

Thibault Le Meur

2007-03-21 17:38:15 UTC

Permalink

<quote>
I've been using OpenVPN + Ralf's Radiusplugin for several months and
recently moved away from server-side IP assignment. However, while I did use
it, I found that in my configuration FreeRADIUS only assigned new IPs when
the accounting for that user had stopped (ie, if it recieved a STOP packet).
</quote>

Curious this is not what I see here ??
What is/was your FR server version ?

Anyway, Alan said that a 'good nas' should send the Framed-IP-Address in the
Access-Request if it has been already assigned one: this wasn't done by
radiusplugin, thus I think I'll keep the pacth.

<quote>
This meant, that once I'd crashed the openvpn server 3 times with users on
it :-) there were many IP's who were 'lost' - their sessions had never
ended, hence the IP was never returned to the pool.
</quote>

Sure, this is also true for my others NAS (pppd based), but they are quite
robust (I hope openvpn is/will be as robust ;-)).

<quote>
I was doing renegotiation every 20 minutes if I remember correctly, and the
freeradius replied with the same IP for the user time and time again.
</quote>

Interesting, what could explain that mine allocate new IP addresses each
time ?

Should rlm_ippool allocate the same IP for a NAS-IP/NAS-port couple if the
entry isn't cleaned from the pool ?

(Anyway, I think it's better to have FR not re-send Framed-IP-Address since
it would cause an unsuseful write to the client-config file from the
radiusplugin.)

<quote>
Hence, I'm beginning to wonder if it's configuration-specific, because I
didn't have any problems.
</quote>

I can trust you, but I don't know where to search for a setup mistake.

Does someone has an idea ?

Thanks in advance,
Thibault

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Thibault Le Meur

2007-03-22 09:26:46 UTC

Permalink

Post by Thibault Le Meur

Post by Thibault Le Meur
I've patched the radiusplugin to add Framed-IP-Address to

the re-auth

Post by Thibault Le Meur
request but rlm_ippool still allocates a new IP Address

(I'm using FR

Post by Thibault Le Meur
1.1.4).

Ok. It seems like rlm_ippool should be updated to look for
Framed-IP-Address in the request.
That would be very useful, and would solve the problem
you're seeing.
Alan DeKok.

Do you mean updated (to 1.1.5) or patched ?

Never mind I found the answer by looking at the code from rlm_ippool.c.

Currently, when an Access-Request arrives, rlm_ippool:
* looks in the pool for an 'active' entry (flagged as active) with the
key=NAS-IP/NAS-port
* If no entry is found
==> rlm_ippool allocates an @IP from the pool
* If an active entry is found
==> it is considered as a stale entry and is marked as not active
(active=0)
==> then a new IP is allocated

If rlm_ippool is 'updated' to take Framed-IP-Address into account what
shoudl be the behaviour ?

A simple patch would consist of doing nothing at Post-Auth time if the
request contains a Framed-IP-Address.

A more complex patch should handle several different cases and decide what
to do. For instance:
* when Access-Request is received, look for an active entry in the pool with
the search key NAS-IP/NAS-port
* If no entry is found
* If there is No Framed-IP-Address attribute in the Request
==> allocate a new @IP from the pool
* If there is a Framed-IP-Address attribute in the Request
* If the Framed-IP-Address belongs to the IP-range of the pool (but it
is not assigned to this NAS-IP/NAS-port)
==> then issue a warning log (especially if this IP is allocated to an
active entry for another NAS-IP/NAS-port)
==> do not allocate a new @IP ??? (Or should we enforce a new IP,
without beeing sure the NAS will be able to use it ?)
* If the Framed-IP-Address doesn't belong to the IP-range of the pool
==> do not allocate a new @IP
* If an entry is found (there is already an allocated @IP for this
NAS-IP/NAS-port)
* If there is a Framed-IP-Address attribute in the Request
* If this Framed-IP-Address is the same as the allocated IP from the
entry found
==> then do nothing (no stale marking, no new @IP allocation)
* If this Framed-IP-Address is NOT the same as the allocated IP from the
entry found
==> then mark the current entry as staled (active=0)
==> report an error in the log because something went wrong
(especially if the Framed-IP-Address received is allocated to another
NAS-IP/NAS-port entry in the pool)
==> do not allocate a new @IP
* If there is No Framed-IP-Address attribute in the Request
==> then mark the current entry as staled (active=0)
==> allocate a new @IP

What do you think ?

Is it already done in current developpement tree ?

Regards,
Thibault Le Meur

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Thibault Le Meur

2007-03-22 11:22:18 UTC

Permalink

Post by Thibault Le Meur

Post by Thibault Le Meur
I've patched the radiusplugin to add Framed-IP-Address to

the re-auth

Post by Thibault Le Meur
request but rlm_ippool still allocates a new IP Address

(I'm using FR

Post by Thibault Le Meur
1.1.4).

Ok. It seems like rlm_ippool should be updated to look for
Framed-IP-Address in the request.
That would be very useful, and would solve the problem
you're seeing.
Alan DeKok.

For those interested in an interim solution, here is a workaround:

1- make sure your NAS sends a Framed-IP-Address attribute in the
Access-Request when a re-authentication is performed (that is to say for
openvpn, use a patched version of radiusplugin)

2- Setup 2 Post-Auth-Types in the post-auth section:

Post-Auth-Type postauth.ovpn {
Ovpn_Main_Pool
reply_log
}

Post-Auth-Type postauth.ovpn.reauth {
reply_log
}

3- in the users file (for instance) dispatch incomming Access-Requests based
on the presence of the Framed-IP-Address attribute:

DEFAULT Framed-IP-Address !* Any, Huntgroup-Name == srvs-vpn-ovpn,
Post-Auth-type := postauth.ovpn
Fall-Through = no

DEFAULT Framed-IP-Address =* Any, Huntgroup-Name == srvs-vpn-ovpn,
Post-Auth-type := postauth.ovpn.reauth
Fall-Through = no

Thanks Alan for your help,

Regards,
Thibault

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Continue reading on narkive:

Search results for 'IP Pool management and Re-authentication' (Questions and Answers)

replies

bsnl webhosting plans??

started 2009-01-20 23:14:24 UTC

computer networking

replies

How do I change my ip address.. and how do I reset my network adapter?

started 2007-11-26 01:24:04 UTC

computer networking

replies

what is this core layers & what is diffrenece between ISA server2004 and 2007?