Option 82 DHCP Snooping + Freeradius auth of DHCP requests

Alan DeKok aland at deployingradius.com
Thu Nov 25 09:57:00 CET 2010

Denis Iskandarov wrote:
> man you kidding me ?

  Your original message was unclear, vague, and confusing.

> i know that it's not dhcp request. It is DHCP server + Radius binding
> scheme. DHCP server getting request from client and asks RADIUS if this
> client allowed to obtain IP address. DHCP server puts in Username
> Clients mac address.

  It would have been useful to say that in the first message.

> Please somebody knows how to allow MAC auth in Freeradius (i've read
> wiki on freeradius site regarding this)

  The Wiki is correct.  Following it will work.

> I _*already have*_ inserted this username in _*users*_ file as well as
> in *SQL base*.

  Well... read the debug output.  Both "files" and "sql" say that the
user wasn't found.

> 00:0C:42:40:40:38  Agent-Remote-Id   = "0006000ded21a480"

  Read "man users".  This line says "match the User-Name *and* the
Agent-Remote-Id".  Read the debug output.  The Agent-Remote-Id in the
debug output does *not* match that text.  Instead, the packet contains:

   Agent-Remote-Id = "\000\006\000\r\355!\244\200"

  See?  They're different.  That's why the don't match.

> I assume it can't see MAC format of username.


> How should freeradius be able to process username in MAC format ?

  By deleted the "Agent-Remote-Id" line from the "users" file.

> Here is radius debug.... and errors that it can't see username BUT it is
> listed in users and sql

  Yes... with *additional* checks that require a match for
Agent-Remote-Id.  Since that doesn't match, the entry for the "users"
file doesn't match, either.

  The behavior of the "users" file is documented.  The debug output
shows what the server receives.  While there is a lot of text to read,
the answer *is* in the information you have.

  Alan DeKok.

More information about the Freeradius-Users mailing list