RADIUS server IP pool configuration

Framed Pool Attribute

The IP pool poolname must be defined on the Network Access Server (NAS). The NAS must be RFC2869-compliant for the RADIUS server to send an Framed-Pool attribute in an Access-Accept pack (type 88 attribute). The system administrator must configure the NAS and update the authorization attributes for the user by including the Framed-Pool attribute in either the global default.auth file or the user.auth file on the RADIUS server. The dictionary file in the RADIUS server includes this attribute:

ATTRIBUTE    Framed-Pool    88       string

If the NAS cannot use multiple address pools, the NAS ignores this attribute. The address pool on the NAS contains a list of IP addresses. The NAS dynamically picks one of the IP addresses defined in the specified pool and assigns it to the user.

Vendor Specific Attributes

Some independent software vendors (ISV) cannot use the Framed-Pool attribute, but do have the ability to define IP address pools. The RADIUS server can utilize these address pools by using the Vendor-Specific Attribute (VSA) model. For example, a Cisco NAS provides an attribute called Cisco-AVPair. The dictionary file in the RADIUS server includes this attribute:

VENDOR     Cisco           9
ATTRIBUTE  Cisco-AVPair    1       string

When the NAS sends an Access-Request packet, it includes this attribute with Cisco-AVPair=”ip:addr-pool=poolname” where poolname is the name of the address pool defined on the NAS. After the request is authenticated and authorized, the RADIUS server returns the attribute in the Access-Accept packet. The NAS can then use the defined pool to allocate the IP address to the user. The system administrator must configure the NAS and update the authorization attributes for the user by including the VSA attribute in either the global default.auth file or the user.auth file on the RADIUS server.

Radius Server Side IP Pooling

The RADIUS server can be configured to generate an IP address from a pool of IP addresses. The IP address is returned in the Framed-IP-Address attribute of the Access-Accept packet.

The system administrator can define a pool of IP addresses using the SMIT interface. The addresses are maintained in the /etc/radius/ippool_def file. Poolnames are defined in the etc/radius/clients file. The system administrator must also configure the NAS-Port number. The RADIUS server daemon uses information from the etc/radius/clients and /etc/radius/ippool_def files to create data files. Once the daemon starts, the system administrator cannot change or add the poolnames or IP address ranges until the RADIUS servers have stopped. When the RADIUS server daemon is started, it reads the configuration file (/etc/radius/radius.conf) and if IP Allocation is enabled (Enable_IP_Pooling=YES), sets the global IP allocation flag (IP_pool_flag) to On. The daemon then checks to see if the poolname.data file exists. If it does, it reads the file and keeps that information in shared memory. It then updates the file and shared memory based on the requests coming in from the clients. If the file does not exist, then the daemon creates a new file using information from the etc/radius/clients and the /etc/radius/ippool_def files. The poolname.data file has a maximum size limit of 256 MB (AIX® segment size limit). If the poolname.data file is more than 256 MB, the RADIUS server logs an error message and exits.

The daemon gets IP-pool details from the /etc/radius/ippool_def file and maintains a table of IP addresses for each pool name in shared memory. The table has entries for NAS-IP-address, NAS-port and IN USE flag. The daemon maintains a hash table that is keyed by the NAS-IP NAS-port. When requests come in from multiple users, the UDP queues the requests, and the daemon retrieves the NAS-IP and NAS-port data from the request. Using that information, it checks to see whether a poolname has been defined for that NAS by checking the information read from the etc/radius/clients file.

The daemon attempts to get an unused address from the pool. If an unused address is available, it is marked as “in use” by the NAS-IP and NAS-port flags, and is returned to the RADIUS server. The IP address is put into the Framed-IP-Address attribute by the daemon, and returned to the NAS in the accept packet. The poolname.data file is also updated to be in sync with the information in shared memory.

If the pool does not exist, or exists but does not have any more unused addresses, an error is returned to the RADIUS server. The error Could not allocate IP address is logged in the log file and an Access-Reject packet is sent to the NAS by the RADIUS server.

The error codes are:

• NOT_POOLED – There is no pool defined for the nas_ip.
• POOL_EXHAUSTED – The pool is defined for the nas_ip, but all of the addresses in the pool are currently in use.

When the authentication request comes from a NAS and NAS-port combination that already has an IP address allocated, the daemon returns the previous allocation to the pool, by marking the IN USE flag to Off, and clearing the NAS-IP-address and NAS-port entries in the table. It then allocates a new IP address from the pool.

The IP address is also returned to the pool when the RADIUS server receives an Accounting-Stop packet from the NAS. The Accounting-Stop packet must contain the NAS-IP-address and NAS-port entries. The daemon accesses the ippool_mem file for the following cases:

• The request comes in to get a new IP address. Sets the IN USE flag to true.
• An Accounting-Stop packet is received. It releases the IP address by setting the “in use” flag to false.

In each case, the shared memory system calls ensure that the data in shared memory and the poolname.data files are in sync. The system administer can turn IP allocation ON or OFF using the Enable_IP_Pooling parameter in the RADIUS server configuration file (radiusd.conf). This is useful in cases where the system admin has an assigned IP address in either the global default.auth or user.auth file. To use that assigned IP address, the system administrator must set Enable_IP_Pool = NO.

If IP pooling is True, the system administrator has also defined a static IP address as part of the global default.auth or user.auth, or as part of the Access-Request packet. The RADIUS server replaces that IP address with the IP address allocated from the defined pool name for that NAS. If all IP addresses in the pool are in use, the server logs the error (pool is full) and sends an Access-Reject packet. The server ignores any static IP address defined in the auth files.

If IP pooling is True and a valid pool name is defined for the NAS, when an Access-Request packet comes in from that NAS-IP, and it does not have the NAS-Port defined, the server sends a Access-Reject packet.

SMIT Panels for IP Pool

In Client Configuration, Add a Client, you can enter the optional Pool Name. The name can be a maximum of 64 characters. When the Pool Name is blank, IP pooling is not done and the RADIUS server assigns the IP address defined by the system administrator through the Framed-IP-Address authorization attribute.

When IP Pool is selected, the following options display:

• List all IP Pools
• Create an IP Pool
• Change/Show Characteristics of an IP Pool
• Delete an IP Pool
• Clear IP Pool for a Client
• Clear entire IP Pool

List all IP Pools: Use this option to list the Pool Name, Start Range IP address and Stop Range IP address.

Create an IP Pool: Use this option to add the pool name, start range, and end range. This data is appended to the bottom of the ippool_def file. Checks are made to ensure there are no duplicate pool names and that the IP address ranges are disjoint. This action can only be performed when the RADIUS server daemons are not running.

Change/Show Characteristics of an IP Pool: This option shows a list of the pool names in a pop-up panel. From this panel, you must select a specific pool name. When you select a pool name, a panel with the selected name displays. When you press Enter, the data for that pool name is updated in the ippool_def file. This action can only be performed when the RADIUS server daemons are not running.

Delete an IP Pool: Selecting this option displays a list of pool names that you can select. When you select the pool name, the Are You Sure pop-up panel displays to provide a confirmation before the selected pool name is deleted. The rmippool script is invoked to delete the selected pool name from the ippool_def file. This action can only be performed when the RADIUS server daemons are not running.

Clear IP Pool for a Client: This option marks the IN-USE entry to 0 for the IP addresses that belong to the NAS, which means that all IP addresses for this NAS are now available. This action can only be done when the RADIUS server daemons are not running.

Clear Entire IP Pool: When this option is selected, an Are You Sure pop-up panel displays to provide a confirmation before the entire ippool_mem file is cleared. This action can only be performed when the RADIUS server daemons are not running.