Nathan Ward писал 2021-08-10 20:53:
Yeah the FreeRADIUS docs are hard to navigate - but getting better.
You want to look in the example configs. Start from an understanding
of what you want the RADIUS messages to have in them. You can do this
with just a static Users file in your test environment with just one
subscriber, and then look at moving that in to sqlippool or similar,
with whatever logic you need to get those attributes in to the right
place. Framed-IP-Address obviously, but maybe also Framed-IP-Netmask
etc. - better to experiment with the attributes and get them right
without the sqlippool complexity.
https://wiki.freeradius.org/modules/Rlm_sqlippool This is alright (it
appears outdated on the surface, but is up to date I think)
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/sqlippool
This is the example config and has some more detail than the above.
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-config/sql/ippool/postgresql/queries.conf
This is useful to understand some of the internals
Thanks for links. I'm pretty well familiar with radius users file syntax
but freeradius modules calls puzzles me a little.
A good setup for IPv4 DHCP relay is:
lo0 addresses on BNG-1
192.168.0.1/32 - use as giaddr
10.0.0.1/32
10.0.1.1/32
10.0.2.1/32
10.0.3.1/32
lo0 addresses on BNG-2
192.168.0.2/32 - use as giaddr
10.0.0.1/32
10.0.1.1/32
10.0.2.1/32
10.0.3.1/32
DHCP server:
Single shared network over all these subnets:
Subnet 192.168.0.0/24 - i.e. covering giaddrs
No pool
Subnet 10.0.0.0/24
pool 10.0.0.2-254
Subnet 10.0.1.0/24
pool 10.0.1.2-254
Subnet 10.0.2.0/24
pool 10.0.2.2-254
Subnet 10.0.3.0/24
pool 10.0.3.2-254
This causes your giaddrs to be in the shared network with the subnets
you want to assign addresses from (i.e. the ones with pools), so the
DHCP server can match them up, but, with no pool in the 192.168.0.0/24
subnet you don’t assign addresses out of that network.
Otherwise you have to have a unique /32 for each BNG in each subnet
and you burn lots of addresses that way.
How is potential IP conflict handled in this case if BNGs are connected
to the switched LAN segment? In my case with vlan per customer it can
happen when a client requests the lease and can get replies from same IP
but different MACs. BNGs can also see each other and report IP conflict.
Kind regards,
Andrey
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
