FreeRADIUS DHCP service vs IP users control

Robert Franklin rcf34 at cam.ac.uk
Tue Apr 15 09:28:04 CEST 2014


On 15 Apr 2014, at 02:16, Alan DeKok <aland at deployingradius.com> wrote:

>> Whilst my ISP experience suggest the enforcement of DHCP-only clients
>> belongs to the hardware side, since FreeRadius also implements the DHCP
>> service, I am curious wether someone managed to enforce this via
>> FreeRadius configurations.
> 
>  You can't enforce anything with DHCP.  Like RADIUS, it just advises
> the NAS.  If the NAS (or the user) ignores DHCP or RADIUS, there's very
> little you can do on the server.

Most modern network switches will support the enforcement of DHCP with a combination of (Cisco/HP parlance):

* "DHCP Snooping" - where the switch listens to DHCP packets going back and forth and knows which IP addresses have been assigned to which MAC addresses, on which ports.  It also blocks the DHCP server -> client traffic from coming FROM edge ports and client -> server TO edge ports, so prevents a rogue DHCP server from operating.

* "ARP Protection/Inspection" - the switch blocks ARP replies for MAC/IP responses where DHCP Snooping hasn't seen an assignment matching that: this stops a host responding to an ARP packet for an IP address it is not entitled to use (and therefore can't receive traffic for another IP address)

* "IP Source Guard" - the switch blocks traffic from IP address / port combinations which haven't been seen to be DHCPd

In all of these, you nominate inter-switch (uplink/downlink) ports as "trusted" ports where these policies are not applied.


Wireless systems can often apply such policies, too: Aruba wrap all this up under a single "enforce-dhcp" option.


>  What you *can* do is use RADIUS accounting packets to double-check
> users IP addresses.  If the address in the accounting packet was *not*
> assigned by DHCP, then you can do something.  Complain, issue email, etc.

Doing this as well is also a good idea.


None of this works with IPv6 - there are different worms there.

  - Bob


-- 
Bob Franklin   rcf34 at cam.ac.uk / +44 1223 748479
Networks, University Information Services, University of Cambridge



More information about the Freeradius-Users mailing list