[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-devel] Re: Re: Radius support (Authentification, Authorization and Accounting)


  • Subject: Re: [Openvpn-devel] Re: Re: Radius support (Authentification, Authorization and Accounting)
  • From: Torge Szczepanek <openvpn-devel@xxxxxxxxxxxxx>
  • Date: Tue, 31 May 2005 09:29:26 +0200

Am Montag, den 30.05.2005, 19:49 +0000 schrieb Ralf LÃbben:

> I have still one question about the NAS-Port attribute. At the moment the
> port number is increment for every user, but never decremt.
> Will this be a problem with freeradius? Must the number be in a special
> range, maybe for assignment?

This will not be a problem for freeradius. But this has drawbacks. The
problem is that if the VPN Server crashes or the Radius server doesn't
get any stop record (remeber that radius is based on UDP), the server
will *never* free the IP-addresses handed out to the client.

I you reuse the old Nas-Port Ids, which get free, when a client
disconnects the server will free the ressource (the IP) and will hand
out the IP to new users. Otherwise it would be blocked forever.

An example with increasing Nas-Port:

Freeradius has a pool of 6 IPs (a.b.c.10-a.b.c.16)

Client 1 connects gets Nas-Port 1 IP a.b.c.10
Client 2 connects gets Nas-Port 2 IP a.b.c.11
Client 3 connects gets Nas-Port 3 IP a.b.c.13
Client 4 connects gets Nas-Port 4 IP a.b.c.14
Client 5 connects gets Nas-Port 5 IP a.b.c.15

Now the communication between the OpenVPN server and the radius server
is broken for some reason. Client 1-4 disconnect.

After that happened communication is restored. IPs a.b.c.10-a.b.c.15 are
marked as used by clients.

Client 6 connects gets Nas-Port 6 IP a.b.c.16

Everything OK, but now if another clients connects:

Client 7 tries to connect and gets Nas-Port 7. On the radius server side
all IPs are marked in-use.


An example without increasing Nas-Port:

Freeradius has a pool of 6 IPs (a.b.c.10-a.b.c.16)

Client 1 connects gets Nas-Port 1 IP a.b.c.10
Client 2 connects gets Nas-Port 2 IP a.b.c.11
Client 3 connects gets Nas-Port 3 IP a.b.c.13
Client 4 connects gets Nas-Port 4 IP a.b.c.14
Client 5 connects gets Nas-Port 5 IP a.b.c.15

Now the communication between the OpenVPN server and the radius server
is broken for some reason. Client 1-4 disconnect.

After that happened communication is restored. IPs a.b.c.10-a.b.c.15 are
marked as used by clients.

Client 6 connects gets Nas-Port *1* IP a.b.c.16 

(Nas-Port 1 is again free since Client 1 disconnected)

Client 7 tries to connect and gets Nas-Port 2. 

Client 7 connects gets Nas-Port 2 IP a.b.c.11

So everything is OK.

-- 
Torge Szczepanek <openvpn-devel@xxxxxxxxxxxxx>



-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-devel