DHCP code in 2.0.4+

Arran Cudbard-Bell a.cudbard-bell at sussex.ac.uk
Sun Jun 7 23:00:13 CEST 2009


Alexander Clouter wrote:
> Fajar A. Nugraha <fajar at fajar.net> wrote:
>   
>> On Sun, Jun 7, 2009 at 8:09 PM, Arran
>> Cudbard-Bell<a.cudbard-bell at sussex.ac.uk> wrote:
>>     
>>> Karl Auer wrote:
>>>       
>>>> On Sun, 2009-06-07 at 12:22 +0100, Alexander Clouter wrote:
>>>>
>>>>         
>>>>> I have been using DHCP with a LDAP patch that is getting harder and
>>>>> harder to maintain.  FreeRADIUS can pretty much do the same, I get to
>>>>> keep my LDAP policy schema stuff (and write a unlang glue to use it) and
>>>>> you get proper DHCP load-balancing/failover.
>>>>>
>>>>>           
>>>> DHCP failover and load-balancing are not simple *at all*.
>>>>
>>>>         
>>> They're trivial once you're storing leases in a transactional database.
>>>       
>> Can freeradius also detect "rogue" clients which uses static IP
>> address? If yes, this could be THE dhcp server I'm looking for.
>>
>>     
> As already said, *nothing* can.  Instead of arp'ing, which needs to be 
> done on the local subnet, you can be clever with FreeRADIUS as you can 
> use an external script to fire off an SNMP request to much the ARP 
> table's of your switching infrastructure.
>   
Hmm. Not quire sure what you mean here. I guess if one of your core
routers supported it, you could have it send the ARP requests...

But yeah you're right. Sending requests from the server wouldn't work
for subnets on which the DHCP server was not directly connected.
> You could replace the SNMP with ICMP echo's lovin' though.
>
>   
Yeah just... things block ping. It's not very reliable.
>> Last I check ISC's DHCP tries ping first, but newer Windows (with icmp
>> echo disabled by default) makes it somewhat less useful.
>>
>>     
> The better way to do this is get your network infrastructure to enforce 
> this.  Even really old Cisco switches support DHCP snooping, I 
> understand HP and other venduh's have their own similar thing.
>   
Yes. We have it enabled most of our smarter L2/3 switches on campus.
Once it's combined with dynamic ARP protection or IP lockdown (like it
can be on the ProCurve switches), then it makes life quite difficult for
those statically assigning IPs.

It's hideously broken on the 2600s though, doesn't process lease
renewals properly. So ATM it's only good for preventing rogue DHCP
servers, and little bits of compliance.

Arran

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 257 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090607/1be8430a/attachment.pgp>


More information about the Freeradius-Users mailing list