FreeRadius DHCP against LDAP
Alan DeKok
aland at deployingradius.com
Sat Aug 31 16:27:50 CEST 2013
Nikolaos Milas wrote:
> Sorry, I don't know really what a "pull request" is, but googling info
> makes me think it means I can submit a proposal for schema changes? If
> so, I might, after I become a bit acquainted to the DHCP FreeRadius
> component (and to DHCP in general).
A "pull request" means submitting patches via github.com.
> In the meantime, I've also found that I should be able to set an IP
> Address to a host (connecting through our Cisco 2950/2960 switches) when
> doing dot1x/MAB authentication (against FreeRadius), using the
> "Framed-IP-Address" attribute in the reply (and I've also set
> "radius-server attribute 8 include-in-access-req" as Cisco advises here:
> http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrdat1.html).
That's only for PPP.
> I tried it but the NAS doesn't seem to try to push to the authorized
> host the IP Address (-yet the host had already a static IP address).
> Should the host (Win Vista in this test case) specify "Obtain an IP
> Address automatically"? Would this functionality work without using the
> FreeRadius Server DHCP component?
"Obtain an IP Address automatically" means "use DHCP".
> Also, assuming that the authorized (using MAB) host has already a
> (manually -or otherwise- preconfigured) static IP address, is there a
> way FreeRadius can know which that is, so it can reject the host during
> reauth if that IP Address is different than the one specified in the
> host's LDAP entry?
Only if the NAS does Accounting packets which contain the
Framed-IP-Address attribute.
Alan DeKok.
More information about the Freeradius-Users
mailing list