DHCP server failing to add ARP entry?

Alan DeKok aland at deployingradius.com
Mon Nov 7 01:40:45 CET 2016 

On Nov 6, 2016, at 6:26 PM, Toby Walsh <walshtj at gmail.com> wrote:
> 
> Thanks Alan.
> 
> So given you've established I'm on Linux I'm sure I'm trying to set up
> a fairly vanilla configuration from that perspective: Freeradius with
> mysql and DHCP? Surely there are many, many others who have this
> successfully working. My network configuration looks like this:

  It should work.  Many others use it.

> At the stage of failure to write the ARP entry, the device has
> requested an IP via DHCP. It's passed successfully down the chain to
> FR but for whatever reason hits a branch of dhcpd.c where something is
> wrong and it fails.

  To be clear: FreeRADIUS asks for the ARP table to be updated, and the OS returns "no".

  The solution is to fix the OS so that it believes FreeRADIUS has the permission to make this change.

> It seems when I try to mess directly with arp from
> the command line it's difficult to trigger "operation not permitted"
> besides trying to interact with it with insufficient privileges. But
> I'm wondering if it is possible that some of the parameters passed to
> fr_dhcp_add_arp_entry are incorrect in such a way as to trigger a
> permission error?

  Maybe.  It's unlikely, unless the Linux people changed the way their AP works.

> It seems FR does all I need in theory, I'm just struggling to set it
> up correctly.

  You're struggling to convince the OS to let FreeRADIUS do it's work.  FreeRADIUS itself is working fine.

  When you're driving a car, you don't try to fix the gas gauge when it reads "empty".  You put gas in the tank.

  i.e. the error from FreeRADIUS is a side effect.  The real problem is the OS.

> The big question I guess is your comment about virtual switches -
> maybe that actually is causing me problems with (i). But given my
> complete lack of networking knowledge I would not at all be surprised
> that I've just configured my DHCP server incorrectly (source IP,
> router address, server address, subnet mask, whatever).

  Virtual switches are fine for sending normal traffic between VMs or containers.  Doing anything more complex is likely to not work.

  Alan DeKok.

More information about the Freeradius-Users mailing list