Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SBR] IP address not released to IP Pool

0

0

Article ID: KB14347 KB Last Updated: 04 Mar 2017Version: 2.0
Summary:
Steel-Belted RADIUS is not releasing IP addresses back to an IP Pool when a user logs out from a Network Access Server (NAS)
Symptoms:
Steel-Belted RADIUS is configured to issue IP addresses to users logging into a NAS device via IP Address Pools.  When the user signs in, they receive a valid IP address and are allowed onto the network. However, when this user gracefully disconnects from the NAS device, the IP address is not released back to the IP Address Pool.

Eventually, the IP Address Pool is exhausted and users are no longer able to access the network as there are no more IP addresses available.

Solution:
Basic troubleshooting should be performed on the RADIUS server and NAS device to confirm that RADIUS Accounting Start and Stop packets are being sent from the NAS device and received by the Steel-Belted RADIUS server. This can be done by reviewing the .ACT file on the Steel-Belted RADIUS server.

The .ACT file is a comma separated value file which records all accounting traffic received by the server.  For every RADIUS Accounting Start packet received, there must be a corresponding RADIUS Accounting Stop packet. If there is a missing Stop packet, Steel-Belted RADIUS will not release the IP address back to the pool.  If this is the case, verify network connectivity between the NAS device and the RADIUS server.  RADIUS utilizes UDP for packet delivery so there is no guaranteed delivery mechanism in place.

Assuming that there is a matching Start and Stop packet for a given user, verify one configuration option in the radius.ini file on the server. 
  1. Open the radius.ini file in your favorite text editor. 
    Depending on the OS in use and version of Steel-Belted RADIUS, this file may be located in one of the following directories.

    C:\radius\service
    C:\Program Files\Juniper Networks\Steel-Belted RADIUS\Service
    /opt/funk/radius
    /opt/JNPRsbr/radius
  2. Look for the following section header : [CurrentSessions]
  3. There should be a parameter called : Enable

    This value MUST be set to 1 in order to properly support IP Pools.
    If it is 0, change the value to 1 and save the file.

  4. Stop and restart the Steel-Belted RADIUS service/process for this change to take effect.


Once this is done, the IP addresses may not be released from previous logins.  If this is the case, you may need to clear the session table to completely recover from this.

Some options for clearing the session table:

  • If using the Global Enterprise or Service Provider Edition of SBR, use the LCI (LDAP Command Interface) to locate IP Addresses issued before a certain time and then use an LDAP modify script to remove them.
  • Schedule a maintenance window where no users will be logged into the network. At this point, stop the SBR service/process and then delete a file called ‘radads.hst’. This file contains the entire session table.
NOTE: If you delete this file while users have an active network connection with an IP address from one of the IP Pools, you run the risk of allowing that IP address to be re-issued and thus creating a duplicate IP address on the network.

If you are unsure on how to proceed with these steps, it is strongly recommended that you contact the Juniper Networks Technical Assistance Center (JTAC) for guidance.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search