DHCP code in 2.0.4+

Alexander Clouter alex at digriz.org.uk
Sun Jun 7 19:26:53 CEST 2009


Fajar A. Nugraha <fajar at fajar.net> wrote:
> On Sun, Jun 7, 2009 at 8:09 PM, Arran
> Cudbard-Bell<a.cudbard-bell at sussex.ac.uk> wrote:
>> Karl Auer wrote:
>>> On Sun, 2009-06-07 at 12:22 +0100, Alexander Clouter wrote:
>>>
>>>> I have been using DHCP with a LDAP patch that is getting harder and
>>>> harder to maintain.  FreeRADIUS can pretty much do the same, I get to
>>>> keep my LDAP policy schema stuff (and write a unlang glue to use it) and
>>>> you get proper DHCP load-balancing/failover.
>>>>
>>>
>>> DHCP failover and load-balancing are not simple *at all*.
>>>
>> They're trivial once you're storing leases in a transactional database.
> 
> Can freeradius also detect "rogue" clients which uses static IP
> address? If yes, this could be THE dhcp server I'm looking for.
>
As already said, *nothing* can.  Instead of arp'ing, which needs to be 
done on the local subnet, you can be clever with FreeRADIUS as you can 
use an external script to fire off an SNMP request to much the ARP 
table's of your switching infrastructure.

You could replace the SNMP with ICMP echo's lovin' though.

> Last I check ISC's DHCP tries ping first, but newer Windows (with icmp
> echo disabled by default) makes it somewhat less useful.
> 
The better way to do this is get your network infrastructure to enforce 
this.  Even really old Cisco switches support DHCP snooping, I 
understand HP and other venduh's have their own similar thing.

http://www.cisco.com/web/DK/assets/docs/security2006/Security2006_Eric_Vyncke_2.pdf

Cheers

-- 
Alexander Clouter
.sigmonster says: Faster, faster, you fool, you fool!
                  		-- Bill Cosby




More information about the Freeradius-Users mailing list