Previous Next Table of Contents

18. What possibilites exist to dynamically assigning addresses to dialin users?

  1. Address Pools. An address pool is defined on the NAS by the command "ip local pool". If an address is to be choosen from such an address pool, then the NAS and only the NAS decides which particular address from the pool range is taken. The currently implemented allocation strategy works as follows. As it is not documented, it is subject to change. There is a "free queue" which stores which addresses are in the pool, but not allocated to any user. When a user logs out, the address allocated for him is appended to the free queue and the user's login name is stored with the queue entry. If a user logs in, then this user is searched in the free list. If found, this address is used. If not, the first address from the free queue is used. The address determined by this way is removed from the free queue and allocated to the user. The effect of this strategy is that the address use is distributed nearly equally and a user who logs out and shortly afterwards in again receives the same address.
  2. DHCP server. With this method, a standard DHCD server is asked for an address. After the user logs out again, the address is released again so it can be re-used.
  3. TACACS+ daemon extension. The TACACS+ daemon can set the user's IP address. Normally, this is done if there is a fixed IP address assigned for a user. Nevertheless, this mechanism can be extended using source code modifications and/or pre/post authorization scripts which do not use a fixed IP address, but rather determine it from some other source. For example, it is possible (and has been done) that such a TACACS+ daemon extension queries a central database server for a free IP address when the TACACS+ daemon receives an appropriate authorization request. The IP address determined by this way is then sent to the NAS using the "addr=" AV pair. One problem is that you have to be careful which addresses are really in use. You cannot rely on the accounting messages to indicate the users' logout because under some error conditions they are not sent (NAS reboot, network congestion, ...). This can be solved by regularly querying the NAS for the users logged is using finger or SNMP. A problem with the finger method is that the username display is limited to 10 characters.

Address allocation using local pools has the advantage that pool mangement is simple (it's done be the NAS) and that it's possible to use multiple pools, e.g. if you have various classes of users with different address ranges.

In contrast, the DHCP server does not allow this, but it manages the addressed centrally so the address space is used more efficiently.

The daemon extension is by far the most flexible method as you can do almost anthing with it. The disadvantage is that there are no standard tools to handle this so you have to program everything yourself.


Previous Next Table of Contents