I have configured a DHCP server on Windows Server with an NPS Policy, connected to a FreeRADIUS2 server running on pfSense.
Authentication is based on MAC address. If MAC address is not present in FreeRADIUS, Windows does not deliver an address, and it works the way I want.
Now, I have configured a Framed-IP-Address attribute on my FreeRADIUS, and I want Windows to deliver the specified address contained in this attribute, but it is delivering an IP address from the pool instead.
I have tested all possible parameters in the "IP Parameters" section of the NPS Policy, to no avail.
I want to use this solution because in the future IPs and MAC addresses will be stored in a MySQL database, and the intention is that FreeRADIUS uses this criteria to allow access at the firewall (this part works), and the IP specified in the database will be used by the DHCP server.
What am I missing? Is this a viable configuration?
Best Answer
In the case of a wireless client Framed-IP-Address is sent in accounting request (not in access request), by the time an accounting request is sent the client already have an IP address.
RADIUS access request contain clients mac address (Calling-station-ID), at this point the wireless client does not have an IP address, if you take the client mac address from access-request and assign a static IP at the DHCP server fast enough, by the time the client complete authentication and send DHCP discover it will be assigned the static IP which was configured in the server,