DHCP with option 82 best practice
Phil Mayers
p.mayers at imperial.ac.uk
Mon Oct 18 18:51:24 CEST 2010
On 10/18/2010 05:05 PM, Zietz, Marco wrote:
> I am curious if somebody could share information how to get FR as DHCP
> with option 82 authentication up and running. Couldn't find much
> information in provided sample files and on the net. My own experiments
> with auth configs were not particularly successful. The key I am missing
What have you tried? Why didn't it work?
> is the link between having DHCP-Relay-Circuit-Id in DHCP-Request and
> DHCP-Discover messages and kicking in some kind of auth in order to
> return a DHCP-Offer/Ack message including a client IP out of the
> configured IP pools. Backend is mysql.
As with most things in FreeRadius, the key (pardon the pun) is
determining what data is in the input packet, what data you want in the
reply and what key/value lookup you need to do to achieve that.
The difficulty with DHCP is that you really need to do the following:
start transaction
select ip from pool where key=... and not used
update ip set used=true where ip=...
commit
add ip to reply packet
The "rlm_sqlippool" module does this for example, but the queries it
executes are perhaps not suited to DHCP allocation; I haven't tried it.
If your DHCP pools are simple - one IP per switch/port and no pools -
then you could just do:
update reply {
DHCP-Your-IP-Address = "%{sql:select ip from opt82 where
switch='%{DHCP-Agent-Remote-Id}' and port='%{DHCP-Agent-Circuit-Id}'}"
}
...but this may cause problems without proper lease management.
>
> I have the feeling that most users straight heading for rlm_perl and not
> using the ppp/chap/pap alike chain. This I would understand since the
> handshakes differ. Confirmation of this thesis would help me as well, so
> I can stop searching and start coding ;o)
I don't recognise the terminology you use here: "handshakes"?
In pretty much all modes, FreeRadius is a system for processing
attribute/value pairs and generating replies. DHCP is "just another"
encoding for AVPs with the slightly complex aspect that lease management
needs to be (a bit) transactional, so anything other than fixed mac->IP
mappings needs a bit of work. That is why people may use perl or things
more complex than unlang/rlm_passwd - the need for transactional lease
allocation.
I suspect few people are using FreeRadius for DHCP in anger yet, which
explains why you have found little info, but I'm sure it can do it. If
you can provide more info about what you've tried that doesn't work...
More information about the Freeradius-Users
mailing list