SoH and DHCP
Francois Gaudreault
fgaudreault at inverse.ca
Tue Sep 20 19:15:58 CEST 2011
Hi Phil,
It's been a while since we did not receive feedbacks about that SoH and
DHCP enforcement. I am just wandering if you had some news about it.
Thanks!
On 11-07-20 2:36 PM, Phil Mayers wrote:
> On 07/20/2011 06:07 PM, Francois Gaudreault wrote:
>> Hi,
>>
>> I am trying to make the SoH statements to work using the FreeRADIUS
>> DHCP. However, I have issues to get the SoH values from the NAP client.
>> Maybe someone will be able to help.
>>
>> On the client side, the DHCP NAP policy is set to enabled.
>
> Unfortunately the SoH DHCP code is unlikely to work very well - I
> didn't quite finish it.
>
> The problem is twofold; first, the SoH payloads are >255 bytes (the
> max size of a DHCP option) so support for DHCP option "continuation"
> is needed; this is doubly tedious because Microsoft use a non-standard
> format for option continuation (main option followed by one or more
> option 240 IIRC)
>
> The second problem is that the constituent DHCP option(s) are
> themselves each >253 bytes, which means they are too big to fit inside
> a VALUE_PAIR structure (which is sized for radius attributes, not DHCP
> attributes). This means there are two unpalatable choices:
>
> 1. Change the VALUE_PAIR union to include a "char dhcpopt[255]" member
> 2. Decode DHCP options differently based on length; if <= 253, decode
> into the "octets" member of VALUE_PAIR; if >253, decode into the "tlv"
> pointer-indirection method. This seems... dirty, since you're
> basically using the tlv pointer for options of length 254 or 255 only
> (although you might want to decode option continuation into the same
> buffer I guess?)
>
> Basically, some code needs adding to the DHCP portion of FreeRADIUS to
> handle DHCP option continuation, and options >253 bytes, before the
> SoH code will work with DHCP.
>
> I don't have much time at the moment, but I might see if I can get
> this working tomorrow.
>
> Cheers,
> Phil
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Francois Gaudreault, ing. jr
fgaudreault at inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
More information about the Freeradius-Users
mailing list