Datastores

How do I make CHAP work with LDAP?

The ldap module can only work with PAP passwords since it needs to send the clear text user password to the LDAP server to authenticate the user. There are however provisions to extract the user password from the LDAP and make it available to the server core and the chap module. See for more details on how to configure the ldap module to do that.

There are a few things that the administrator should watch out for though:

Add the chap module in the authorize section of radiusd.conf before any other modules which set the Auth-Type attribute. That way the chap module can check if the current request contains a PAP or CHAP password and if it contains the former then it will set the Auth-Type to CHAP.
The := operator should not be used in the users file to set the Auth-Type since it will set the Auth-Type regardless of wether it has already being set to some other value.
An 'authtype CHAP' subcomponent should be added in the authenticate section of which will contain the chap module.

Recover SQL IP Pools

IP pool exhaustion occurs when all the IP addresses within a given pool are assigned. New devices or sessions can’t complete the authentication process without an IP address. The risk of pool exhaustion increases if there is a 'bulk disconnect of sessions' event. The Accounting Stop or Accounting On/Off (in the case of a NAS reboot) requests aren’t received on the FreeRADIUS server. The actively leased IP addresses become orphaned and don’t get returned to the IP pool.

To prevent the pool from becoming exhausted, consider one of the following options:

Configure a simultaneous use policy to prevent the disconnected devices from reconnecting immediately. The device reconnects once the existing accounting session and the active IP lease expires.
Use a sticky IP address policy to reallocate the previous IP addresses to the original sessions. The IP address assignment occurs when the connection is re-established.

There will be a short-term exhaustion of the pool’s capacity, which may impact device re-authentications. The original IP addresses associated with the affected sessions are still leased while new IP addresses are being allocated.

This will last until the lease expiry times for the orphaned IP addresses have passed, up to the configured lease_duration.

It’s possible to identify the orphaned IP addresses and release them in advance of their set expiry time restoring service faster.

Differentiating orphaned IP addresses from leased IP addresses belonging to current sessions prevents duplicate IP address allocation. Manual modifications to lease expiry times often cause this issue. Be cautious when making manual interventions.

You can tell that IP addresses are abandoned when there are no updates to the expiry_time field. Something has happened to the NAS, and it has not send a "session stop" message. But the lack of accounting updates to the session indicates that it is no longer active.

You can release abandoned IP addresses by setting the expiry_time to the current time.

The following provides a worked example that additionally verifies the radippool data against radacct.acctupdatetime…

This query will show all active IP leases together with corresponding accounting data, sorted by time last Interim-Update was received:

> SELECT framedipaddress, username, expiry_time, radacctid, acctstarttime, acctupdatetime
FROM radippool p LEFT OUTER JOIN radacct a using (framedipaddress, username)
WHERE p.expiry_time > now() AND a.acctstoptime IS NULL
ORDER BY acctupdatetime NULLS FIRST;

 framedipaddress |   username       |     expiry_time     | radacctid |     acctstarttime      |     acctupdatetime
-----------------+------------------+---------------------+-----------+------------------------+------------------------
[ Addresses for authentications whose sessions did not start, or Accounting Start delayed, i.e. no radacct session. ]
 123.66.123.169  | Xht58gp6@example | 2021-03-09 07:29:24 |           |                        |
 123.66.120.200  | 3MzBcVDW@example | 2021-03-09 07:20:39 |           |                        |
 123.66.102.177  | mGDS4edR@example | 2021-03-09 07:20:56 |           |                        |
...

[ Addresses not received an interim update within the current interim update window. Update time is typically spread. ]
 123.66.95.62    | srSRNkSE@example | 2021-03-09 07:49:33 |  12563992 | 2021-03-09 04:39:32-10 | 2021-03-09 04:49:12-10
 123.66.77.62    | P4YSCrmX@example | 2021-03-09 07:49:33 |  12539400 | 2021-03-08 19:59:32-10 | 2021-03-09 04:49:36-10
 123.66.112.214  | zbBUEmsG@example | 2021-03-09 07:49:33 |  12544847 | 2021-03-08 22:09:31-10 | 2021-03-09 05:19:04-10
 123.50.123.89   | wufJbGL4@example | 2021-03-09 07:49:33 |  12552726 | 2021-03-09 00:59:31-10 | 2021-03-09 06:39:48-10
...

[ Addresses received interim update: Note cliff edge corresponding to start of current interim update window.  vvv ]
 123.185.168.166 | V5vDG6hq@example | 2021-03-09 07:49:33 |  12565868 | 2021-03-09 05:19:31-10 | 2021-03-09 06:49:32-10
 123.66.68.216   | Nr2mecCJ@example | 2021-03-09 07:49:33 |  12545572 | 2021-03-08 22:39:31-10 | 2021-03-09 06:49:32-10
 123.50.124.181  | J3W2Ej2t@example | 2021-03-09 07:49:33 |  12558988 | 2021-03-09 02:59:32-10 | 2021-03-09 06:49:32-10
 123.66.115.151  | 6Qvujqtx@example | 2021-03-09 07:49:33 |  12538411 | 2021-03-08 19:39:31-10 | 2021-03-09 06:49:32-10
 123.66.116.61   | jzKBv4Z@example  | 2021-03-09 07:49:33 |  12555330 | 2021-03-09 01:49:31-10 | 2021-03-09 06:49:32-10
 123.185.167.94  | JtxxH3f@example  | 2021-03-09 07:49:33 |  12555329 | 2021-03-09 01:49:31-10 | 2021-03-09 06:49:32-10
 123.66.122.226  | 1eRyexwe@example | 2021-03-09 07:49:33 |  12563103 | 2021-03-09 04:19:31-10 | 2021-03-09 06:49:33-10

Now, construct a query that matches only the IP addresses that you wish to release.

In the example below, replace [ XXXXX ] with a cutoff time. It must be before the beginning of the current Interim-Update window (usually 5-10 minutes). The time can be earlier, depending on your level of confidence in how reliable the NAS is at sending accounting updates.

SELECT framedipaddress, username, expiry_time, radacctid, acctstarttime, acctupdatetime
FROM radippool p LEFT OUTER JOIN radacct a using (framedipaddress, username)
WHERE p.expiry_time > now() AND a.acctstoptime IS NULL
  AND acctupdatetime < [ XXXXX ]
ORDER BY acctupdatetime NULLS FIRST;

Once you are satisfied that the results represent only those IP addresess not belonging to a current session that you intend to release, wrap the above query in an update:

UPDATE radippool SET expiry_time = NOW() WHERE framedipaddress IN (
SELECT framedipaddress
FROM radippool p LEFT OUTER JOIN radacct a using (framedipaddress, username)
WHERE p.expiry_time > now() AND a.acctstoptime IS NULL
  AND acctupdatetime < [ XXXXX ]
);