DHCP code in 2.0.4+
Alan DeKok
aland at deployingradius.com
Sun Jun 7 22:39:10 CEST 2009
Fajar A. Nugraha wrote:
> Can freeradius also detect "rogue" clients which uses static IP
> address? If yes, this could be THE dhcp server I'm looking for.
No. But let's take a look at what happens when you add RADIUS to a
bare DHCP implementation:
1) do MAC auth via RADIUS. Who cares what the MAC is. The key is
to get them to do RADIUS.
1a) Or, do 802.1X.
2) Return a restrictive set of filter rules (or a VLAN)
3) If they do DHCP, use CoA to update the filter rules to allow packets
FROM that source IP. (or switch VLANs)
3a) If they don't do DHCP, too bad for them: they can't pass any traffic.
> Last I check ISC's DHCP tries ping first, but newer Windows (with icmp
> echo disabled by default) makes it somewhat less useful.
Exactly.
Why bother testing to see if the network is what you expect? Simply
enforce that it *is* what you want. If some idiot types in a static IP,
too bad. He hasn't followed network policy, which requires him to do DHCP.
The only (minor) problem is that these rules aren't written yet. This
is why I'm giving the talk at LinuxTag: to get interest in people
writing rules to keep their network secure.
Alan DeKok.
More information about the Freeradius-Users
mailing list