Am Montag, den 30.05.2005, 19:49 +0000 schrieb Ralf Lübben: > I have still one question about the NAS-Port attribute. At the moment the > port number is increment for every user, but never decremt. > Will this be a problem with freeradius? Must the number be in a special > range, maybe for assignment?
This will not be a problem for freeradius. But this has drawbacks. The problem is that if the VPN Server crashes or the Radius server doesn't get any stop record (remeber that radius is based on UDP), the server will *never* free the IP-addresses handed out to the client. I you reuse the old Nas-Port Ids, which get free, when a client disconnects the server will free the ressource (the IP) and will hand out the IP to new users. Otherwise it would be blocked forever. An example with increasing Nas-Port: Freeradius has a pool of 6 IPs (a.b.c.10-a.b.c.16) Client 1 connects gets Nas-Port 1 IP a.b.c.10 Client 2 connects gets Nas-Port 2 IP a.b.c.11 Client 3 connects gets Nas-Port 3 IP a.b.c.13 Client 4 connects gets Nas-Port 4 IP a.b.c.14 Client 5 connects gets Nas-Port 5 IP a.b.c.15 Now the communication between the OpenVPN server and the radius server is broken for some reason. Client 1-4 disconnect. After that happened communication is restored. IPs a.b.c.10-a.b.c.15 are marked as used by clients. Client 6 connects gets Nas-Port 6 IP a.b.c.16 Everything OK, but now if another clients connects: Client 7 tries to connect and gets Nas-Port 7. On the radius server side all IPs are marked in-use. An example without increasing Nas-Port: Freeradius has a pool of 6 IPs (a.b.c.10-a.b.c.16) Client 1 connects gets Nas-Port 1 IP a.b.c.10 Client 2 connects gets Nas-Port 2 IP a.b.c.11 Client 3 connects gets Nas-Port 3 IP a.b.c.13 Client 4 connects gets Nas-Port 4 IP a.b.c.14 Client 5 connects gets Nas-Port 5 IP a.b.c.15 Now the communication between the OpenVPN server and the radius server is broken for some reason. Client 1-4 disconnect. After that happened communication is restored. IPs a.b.c.10-a.b.c.15 are marked as used by clients. Client 6 connects gets Nas-Port *1* IP a.b.c.16 (Nas-Port 1 is again free since Client 1 disconnected) Client 7 tries to connect and gets Nas-Port 2. Client 7 connects gets Nas-Port 2 IP a.b.c.11 So everything is OK. -- Torge Szczepanek <openvpn-de...@szczepanek.de>
