FreeRadius DHCP against LDAP

Alan DeKok aland at deployingradius.com
Sat Aug 31 16:27:50 CEST 2013


Nikolaos Milas wrote:
> Sorry, I don't know really what a "pull request" is, but googling info
> makes me think it means I can submit a proposal for schema changes? If
> so, I might, after I become a bit acquainted to the DHCP FreeRadius
> component (and to DHCP in general).

  A "pull request" means submitting patches via github.com.

> In the meantime, I've also found that I should be able to set an IP
> Address to a host (connecting through our Cisco 2950/2960 switches) when
> doing dot1x/MAB authentication (against FreeRadius), using the
> "Framed-IP-Address" attribute in the reply (and I've also set
> "radius-server attribute 8 include-in-access-req" as Cisco advises here:
> http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrdat1.html).

  That's only for PPP.

> I tried it but the NAS doesn't seem to try to push to the authorized
> host the IP Address (-yet the host had already a static IP address).
> Should the host (Win Vista in this test case) specify "Obtain an IP
> Address automatically"? Would this functionality work without using the
> FreeRadius Server DHCP component?

  "Obtain an IP Address automatically" means "use DHCP".

> Also, assuming that the authorized (using MAB) host has already a
> (manually -or otherwise- preconfigured) static IP address, is there a
> way FreeRadius can know which that is, so it can reject the host during
> reauth if that IP Address is different than the one specified in the
> host's LDAP entry?

  Only if the NAS does Accounting packets which contain the
Framed-IP-Address attribute.

  Alan DeKok.


More information about the Freeradius-Users mailing list