Previous
Next
Table of Contents
- Address Pools.
An address pool is defined on the NAS by the command "ip local
pool". If an address is to be choosen from such an address pool, then
the NAS and only the NAS decides which particular address from the
pool range is taken.
The currently implemented allocation strategy works as follows. As it
is not documented, it is subject to change. There is a "free queue"
which stores which addresses are in the pool, but not allocated to any
user. When a user logs out, the address allocated for him is appended
to the free queue and the user's login name is stored with the queue
entry. If a user logs in, then this user is searched in the free
list. If found, this address is used. If not, the first address from
the free queue is used. The address determined by this way is removed
from the free queue and allocated to the user. The effect of this
strategy is that the address use is distributed nearly equally and a
user who logs out and shortly afterwards in again receives the same
address.
- DHCP server.
With this method, a standard DHCD server is asked for an
address. After the user logs out again, the address is released again
so it can be re-used.
- TACACS+ daemon extension.
The TACACS+ daemon can set the user's IP address. Normally, this is
done if there is a fixed IP address assigned for a user. Nevertheless,
this mechanism can be extended using source code modifications and/or
pre/post authorization scripts which do not use a fixed IP address,
but rather determine it from some other source.
For example, it is possible (and has been done) that such a TACACS+
daemon extension queries a central database server for a free IP
address when the TACACS+ daemon receives an appropriate authorization
request. The IP address determined by this way is then sent to the NAS
using the "addr=" AV pair.
One problem is that you have to be careful which addresses are really
in use. You cannot rely on the accounting messages to indicate the
users' logout because under some error conditions they are not sent
(NAS reboot, network congestion, ...). This can be solved by regularly
querying the NAS for the users logged is using finger or SNMP. A
problem with the finger method is that the username display is limited to
10 characters.
Address allocation using local pools has the advantage that pool
mangement is simple (it's done be the NAS) and that it's possible to
use multiple pools, e.g. if you have various classes of users with
different address ranges.
In contrast, the DHCP server does not allow this, but it manages the
addressed centrally so the address space is used more efficiently.
The daemon extension is by far the most flexible method as you can do
almost anthing with it. The disadvantage is that there are no standard
tools to handle this so you have to program everything yourself.
Previous
Next
Table of Contents