Freeradius 3 DHCP server with SQL and 'anty dos' protection, how?

Kamil de Bardon kamil at forweb.pl
Tue Jun 25 17:11:51 CEST 2019


Hello, I configure freeradius to be a unicast dhcp server for working 
with Cisco ASR.


client --> cisco relay -> freeradius

My configuration is:

dhcp DHCP-Discover {

   if ( "%{mms: ${..ip_query}}" ) {

     update reply {
           DHCP-Message-Type = DHCP-Offer
     }

     update reply {
       &DHCP-Your-IP-Address       =  "%{mms: ${....ip_query}      }"
       &DHCP-Subnet-Mask           =  "%{mms: ${....mask_query}    }"
       &DHCP-Router-Address        =  "%{mms: ${....gw_query}      }"
       &DHCP-Domain-Name-Server    =  "%{mms: ${....ns1_query}     }"
       &DHCP-Domain-Name-Server    += "%{mms: ${....ns2_query}     }"
       &DHCP-IP-Address-Lease-Time =  _DHCP_LEASE_TIME_
     }

     ok

   }

   else {

     update reply {
            &DHCP-Message-Type = DHCP-Do-Not-Respond
     }

     reject
   }
}

dhcp DHCP-Request {

   update reply {
          &DHCP-Message-Type = DHCP-Ack
   }

   update reply {
     &DHCP-Your-IP-Address       =  "%{mms: ${...ip_query} }"
     &DHCP-Subnet-Mask           =  "%{mms: ${...mask_query} }"
     &DHCP-Router-Address        =  "%{mms: ${...gw_query} }"
     &DHCP-Domain-Name-Server    =  "%{mms: ${...ns1_query} }"
     &DHCP-Domain-Name-Server    += "%{mms: ${...ns2_query} }"
     &DHCP-IP-Address-Lease-Time =  _DHCP_LEASE_TIME_
   }

   ok
}

This is working, but my concern is, if client's mac adres is not in the 
database, they dhcp client will send dhcp-discovery all the time, and 
one discovery = one sql query.

Is there any way to prevent that? Some cache or so?


Thanks for help.







More information about the Freeradius-Users mailing list