AW: (RADIATOR) Assign IP

Hugh Irvine hugh at open.com.au
Wed Feb 22 17:34:06 CST 2006 

Hello Martin -

Many thanks for your most thoughtful discussion.

I agree that multiple named pools on the NAS equipment is the  
preferred approach.

regards

Hugh


On 23 Feb 2006, at 10:20, Martin Wallner wrote:

> David,
>
> assigning dynamic IP through RADIUS is a tricky business... It  
> would be easier to give the users standard IP's via their login and  
> route them through the network or use local pools for usergroups on  
> the NAS. Believe me. There is a way around this MOST UGLY way to  
> deal out addresses, even if it don't look like it yet when you look  
> at your project...
>
> The thing with direct allocation from RADIUS is, that you are  
> getting too dependend on the functioning of the RADIUS server, it  
> also has to track and update the ip-allocation table and the  
> radonline table, to remove and reuse IP's. One single lost request  
> series can bring the database out of sync with the real situation,  
> and you can become 'stuck' dynamic IP-Adresses (a) on RADIUS side,  
> which would bring up the nice problem that it might be put out  
> twice, (b) on NAS side, where the IP is still in use, and the  
> RADIUS is happily giving it out to the next one... and you have (a)  
> Situation...You/RADIUS has to track the availiability of the NAS 
> (es) and deal with it accordingly.
>
> To clean up such stuck IP-Adresses you normally need to clean up  
> the database (which means that you open the database, look after  
> the IP, and have to look up all the NASes where it could be used  
> and clear the connection). After the 5th or 10th IP you are  
> checking so, you have to go up to top and do it again, because you  
> still don't know... so you normally end up with a complete reset of  
> the pool database and you just kick all users out from the NAS to  
> restart the IP allocation process...
>
> I inherited such a system (with steelbelted radius) when we took  
> over a company, and it was FASCINATING to see how the support and  
> cc-people hammered on the databases at least once a week, to clean  
> up stuck addresses, while trying to calm down customers, who could  
> connect, but couldn't do anything (because the NAS(es) did a 'load  
> balancing' between two different users... :-/)
>
> Even before I could finally implement something useful (RADIATOR)  
> on this POS, I removed the dammned Dynamic Allocation by Radius  
> from the old system and implemented local default pools directly on  
> the NAS.... MUCH better, I was the hero of support and cc (for a  
> day :-), and since then this works like a charm...
>
> 2 Possible workarounds (straight from my head and without knowing  
> your case) instead dynamic allocation per RADIUS:
> a) static IP's, given out for users who ARE moving from one NAS to  
> another (and let whatever IGProuting you are using in your  
> infrastructure do the rest), directly brought in in the user  
> database on a per user base ....
> b) local named pools on the NAS .. RADIATOR generates the av-pairs  
> necessery for the user who requests access, so that the NAS just  
> dynamically gives out of the pool he got instructed to by RADIUS  
> (that needs a unique pool of adresses on each router per group and  
> uses a bit more ip-adresses this way, but you can finetune it).  
> brought in into the user (group?) database... and you can avoid  
> dynamic routing with this, when it's not available on some/all NAS...
>
> Martin
>
>
>
> Von: owner-radiator at open.com.au im Auftrag von David Felipe Rios Rojas
> Gesendet: Mi 22.02.2006 21:31
> An: radiator at open.com.au
> Betreff: (RADIATOR) Assign IP
>
> Hello.
>
> Radiator has successful finished first test; it authenticates and
> replay connection attributes to RAS.
> Now I want to make it more complex: Several RAS must not assign
> dynamic IP, so Radiator should do it; I've read Reference Manual
> but I don't see information about this; how could I do it?
> This can not be a general feature because some RAS _must_ assign
> dynamic IP and Radiator should not; that's depending of RAS IP
> address.
>
> Regards,
>
> --
> David Rios R.
> Equipo Ingenieria de Desarrollo
> Unidad Gestión Tecnológica
> Empresas Publicas de Medellin
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list