[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Setting Up IP Address Pools

The IP Address Pool panel (Figure 56) allows you to set up one or more pools out of which unique IPv4 addresses are assigned as users require them. Each address pool consists of a list of one or more ranges of addresses.


Figure 56: IP Address Pools Panel

Adding an IPv4 Address Pool

An IP address pool consists of one or more ranges of IPv4 addresses. You can add or delete ranges and set an optional description for each address pool.

To add an IP address pool:

  1. Choose Address Pools> IP in the sidebar.

The IP Address Pools panel appears.

  1. Click the Add button in the toolbar.

The Add IP Address Pool dialog (Figure 57) appears.


Figure 57: Add IP Address Pool Dialog

  1. Enter the name of the IP address pool in the Name field.
  2. Optionally, enter a description of the address pool in the Description field.
  3. Identify the address range or ranges in the IP address pool.
  1. Click the Add button below the Address Ranges list.

The Add IP Address Range dialog (Figure 58) opens.


Figure 58: Add IP Address Range Dialog

  1. Enter the first address in the Starting address field.
  2. Enter the number of addresses in the address range in the Number of addresses field.
  3. Click Add.
  4. Repeat steps a-d for each address range in the IP address pool. When you are finished, click Close.
  1. Click OK.

Editing an IP Address Pool

To edit an IP address pool:

  1. Choose Address Pools> IP in the sidebar.
  2. Select the entry you want to modify and click the Edit button (or right-click the entry and choose Edit).

The Edit IP Address Pool dialog (Figure 59) appears.


Figure 59: Edit IP Address Pool Dialog

  1. Modify the settings for the address pool as needed.
  1. When you are finished, click OK.

Removing an IP Address Pool

To delete an IP address pool:

  1. Choose Address Pools> IP in the sidebar.
  2. Select the entry you want to remove and click the Delete button (or right-click the entry and choose Delete).
  3. When you are prompted to confirm the deletion, click Yes.

Specifying an IP Address Pool for User/Profile Records

The Framed-IP-Address return list attribute controls how the server assigns an IP address to a user making a connection. When you add or edit the Framed-IP-Address attribute in the Users or Profiles dialog, the Add Attribute dialog (Figure 60) allows you to choose an IP address pool instead of specifying an IP address.


Figure 60: Editing the Framed-IP-Address

NAD-Specific IP Address Pools

Steel-Belted Radius Carrier enables you to define IP address pools that are specific to the NAD (RADIUS client) from which the user request was received. You can also define a set of suffixes that define categories of pools. For example, a pool category might correspond to the kinds of services available to users in that category. You might decide to define categories called Bronze, Silver, and Gold, indicating increasing packet routing priorities.

To create a NAD-specific address pool:

  1. Define the IP address pool with the IP Address Pools dialog (Figure 61).

Figure 61: Address Pools Panel: IP Address Pools

  1. Use the IP Address Pool field on the RADIUS Clients panel to associate the new IP address pool with the appropriate NAD.
  2. Assign the user to a NAD-specific IP address pool and suffix.

Create this association in the Users panel or the Profiles panel by adding a Framed-IP-Address return list attribute with a value of pool associated with RAS Client (Figure 62).


Figure 62: Assigning the User to a NAD-Specific IP Address Pool

Service-Level IP Address Pools

Steel-Belted Radius Carrier enables you to define a set of suffixes that define categories of IP address pools. For example, a pool category might correspond to the kinds of services available to users in that category. You might decide to define categories called Bronze, Silver, and Gold to identify different packet routing priorities.

To create a set of service-level address pools:

  1. Define suffixes for the various service-level address pools in the [IPPoolSuffixes] section of radius.ini. For example:
  2. [IPPoolSuffixes]
    
    -GOLD
    
    -SILVER
    
    -BRONZE
    
    
    
  3. Define IP address pools using the suffixes configured in the [IPPoolSuffixes] section of radius.ini (Figure 63).

Figure 63: Service Level Suffixes in the IP Address Pools Panel

  1. Associate the new IP address pool with the appropriate NAD by use of IP Address Pool field on the RADIUS Clients panel.
  2. Assign a user to a NAD-specific IP address pool and suffix in the Users panel or the Profiles panel (Figure 64).

Figure 64: Associating IP Address Pools with RADIUS Clients

If user EDISON CARTER, who has been assigned to <RAS>-GOLD, logs into RAS1, he receives an IP address from the RAS1-GOLD address pool. If he logs into RAS2, he receives an address from the RAS2-GOLD address pool. If, however, he logs into RAS3 but RAS3-GOLD has not been defined in the IP Pools dialog, he is not assigned an IP address.

Specifying IP Address Assignment from a DHCP Server

IP addresses can be assigned from a back-end DHCP server, rather than from a standard IP address pool. DHCP address pools function like internal address pools—Framed-IP-Address can be allocated from any address pool, either internal or DHCP.

DHCP address pools are defined in the dhcp.ini file and initialization files with the extension .dhc.

In addition, each DHCP address pool must be enabled by adding a placeholder IP address pool in the SBR Administrator. This placeholder pool should have the same name as the DHCP pool, and should have an empty list of address ranges. The placeholder pool allows the DHCP pool to appear in lists presented by the SBR Administrator, so it can be selected into an attribute.

When an IP address must be assigned from a DHCP pool during an Access-Request, DHCP DISCOVER and REQUEST messages are issued to trigger the allocation of an address. When an accounting Stop ends the session, DHCP RELEASE is issued to the server that allocated the address. Upon receipt of an accounting INTERIM request, a DHCP REQUEST message is issued to the server that allocated the address, attempting to extend the lease. If the server is specified as a broadcast address, DHCP failover occurs if the primary DHCP server go down.

DHCP leases can be acquired, extended, and released by different servers. The server that acquires the lease adds all the information for extending and releasing the lease to the Class attribute.

Flexible configuration features allow RADIUS attributes to be mapped to DHCP options. Therefore, information from a RADIUS request can be provided to the DHCP server, and information returned from the DHCP server can be returned to the network access device.

During authentication, if an address is assigned from a pool, the pool name must refer to either a DHCP pool or an internal pool. If the pool name is not found, the request is rejected.

Address Allocation

During address allocation, a DISCOVER message is issued. If an OFFER is received from a DHCP server and the offered lease time meets the minimum lease time requirements, the server issues a REQUEST message. If an ACK message is received, the allocated address is returned in the Access-Accept.

In addition to the options required for normal DHCP operation, additional options in the DHCP DISCOVER and REQUEST messages are constructed based on the attributes in the RADIUS request and the literal values specified in the [Request] section for the pool. A Parameter Request List option is also constructed, listing all return options required for populating the RADIUS response, as specified in the [Reply] section for the pool.

If an address is assigned by means of DHCP, the DH= field is added to the Class attribute. This field includes:

The unique client identifier for each user session is placed in the client hardware address field of the DHCP request as well as in the Client ID option. This information is used by the DHCP server to associate IP addresses with clients.

Address Renewal

If an INTERIM accounting message whose Class attribute includes both the IP= and the DH= fields is received, a REQUEST message is unicast to the DHCP server that allocated the address in an attempt to renew the lease. It requests the same lease time as was granted for the original request. If the server is specified as a broadcast address, DHCP failover occurs if the primary DHCP server go down.

NOTE: If a renewal request is rejected, the DHCP server does not inform the network access device that the user's IP address is not renewed and may become invalid.


Address Release

If an accounting Stop message whose Class attribute includes both the IP= and the DH= fields is received, a RELEASE message is unicast to the DHCP server that allocated the address.

NOTE: The DHCP server does not reply to the RELEASE message.


An address to the DHCP server is also released when a session is deleted from its session database for reasons other than receiving an accounting Stop. For example, phantom session expiration or administrative deletion of a session result in the release of the temporary DHCP address.

DHCP Option Mapping

Options in a DHCP DISCOVER or REQUEST message can automatically be constructed based on attributes in the RADIUS request as well as pre-configured literal values. Also, options returned by the DHCP server in an OFFER message can be transmitted back to the network access device in RADIUS attributes.

The following applies to the mapping between RADIUS attributes and DHCP options:

For example, a RADIUS attribute called IP-Router could appear multiple times in an Access-Accept. DHCP's Router option returns a list of IP addresses of routers. This single DHCP option can be configured to return multiple instances of the RADIUS IP-Router attribute -- one for each router address in the list.

For example, two RADIUS attributes exist, Primary-DNS-Server and Secondary-DNS-Server. DHCP's DNS Server option returns a list of IP addresses of DNS servers. This single DHCP option can be configured to set the first DNS server address in Primary-DNS-Server and the second in Secondary-DNS-Server.

Therefore, if network access devices from different vendors use different RADIUS attributes for the same information, each RADIUS attribute that might be required can be mapped to the same DHCP option. The correct attribute is returned to the network access device.

Using Multiple Servers

As the information required to renew or release a DHCP-assigned address is contained in the Class attribute, it is feasible to set up multiple servers, all utilizing a common DHCP server for address allocation. The network access device can issue requests to any of the servers, and addresses are assigned and released correctly even if different servers handle authentication and accounting requests for the same session.

This architecture requires that each server must be configured to be stateless—that is, the current sessions database must be turned off in the radius.ini file, as follows:

[CurrentSessions]
Enable = 0


Current sessions processing makes sense only when authentication and all accounting are directed to the same server. If current sessions processing is not disabled, the current sessions database is incorrect and always growing. For example, DHCP addresses are prematurely released when phantoms expire.


[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]