SoH and DHCP

Francois Gaudreault fgaudreault at inverse.ca
Tue Sep 20 19:15:58 CEST 2011


Hi Phil,

It's been a while since we did not receive feedbacks about that SoH and 
DHCP enforcement.  I am just wandering if you had some news about it.

Thanks!

On 11-07-20 2:36 PM, Phil Mayers wrote:
> On 07/20/2011 06:07 PM, Francois Gaudreault wrote:
>> Hi,
>>
>> I am trying to make the SoH statements to work using the FreeRADIUS
>> DHCP. However, I have issues to get the SoH values from the NAP client.
>> Maybe someone will be able to help.
>>
>> On the client side, the DHCP NAP policy is set to enabled.
>
> Unfortunately the SoH DHCP code is unlikely to work very well - I 
> didn't quite finish it.
>
> The problem is twofold; first, the SoH payloads are >255 bytes (the 
> max size of a DHCP option) so support for DHCP option "continuation" 
> is needed; this is doubly tedious because Microsoft use a non-standard 
> format for option continuation (main option followed by one or more 
> option 240 IIRC)
>
> The second problem is that the constituent DHCP option(s) are 
> themselves each >253 bytes, which means they are too big to fit inside 
> a VALUE_PAIR structure (which is sized for radius attributes, not DHCP 
> attributes). This means there are two unpalatable choices:
>
>  1. Change the VALUE_PAIR union to include a "char dhcpopt[255]" member
>  2. Decode DHCP options differently based on length; if <= 253, decode 
> into the "octets" member of VALUE_PAIR; if >253, decode into the "tlv" 
> pointer-indirection method. This seems... dirty, since you're 
> basically using the tlv pointer for options of length 254 or 255 only 
> (although you might want to decode option continuation into the same 
> buffer I guess?)
>
> Basically, some code needs adding to the DHCP portion of FreeRADIUS to 
> handle DHCP option continuation, and options >253 bytes, before the 
> SoH code will work with DHCP.
>
> I don't have much time at the moment, but I might see if I can get 
> this working tomorrow.
>
> Cheers,
> Phil
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>


-- 
Francois Gaudreault, ing. jr
fgaudreault at inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)




More information about the Freeradius-Users mailing list