FreeRadius DHCP against LDAP

Arran Cudbard-Bell a.cudbardb at freeradius.org
Sat Aug 31 16:49:12 CEST 2013


On 31 Aug 2013, at 13:49, Nikolaos Milas <nmilas at noa.gr> wrote:

> On 31/8/2013 12:03 πμ, Arran Cudbard-Bell wrote:
> 
>>> 1. Is DHCP functionality supported against an LDAP Server (in v2.2.0)?
>> Yes.
>> 
>>> >2. If so, is there a planned freeradius ldap schema change (in future versions) to include DHCP-* attributes?
>> No.  But you're welcome to submit a pull request.
> 
> Thanks Arran for your answers.
> 
> Sorry, I don't know really what a "pull request" is, but googling info makes me think it means I can submit a proposal for schema changes?

Yes.

> If so, I might, after I become a bit acquainted to the DHCP FreeRadius component (and to DHCP in general).

OK.

> In the meantime, I've also found that I should be able to set an IP Address to a host (connecting through our Cisco 2950/2960 switches) when doing dot1x/MAB authentication (against FreeRadius), using the "Framed-IP-Address" attribute in the reply (and I've also set "radius-server attribute 8 include-in-access-req" as Cisco advises here: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrdat1.html). 

No.

> I tried it but the NAS doesn't seem to try to push to the authorized host the IP Address (-yet the host had already a static IP address). Should the host (Win Vista in this test case) specify "Obtain an IP Address automatically"? Would this functionality work without using the FreeRadius Server DHCP component?

No. It's for things like PPP tunnels not for 802.1X and Mac-Auth authentication.

> Also, assuming that the authorized (using MAB) host has already a (manually -or otherwise- preconfigured) static IP address, is there a way FreeRadius can know which that is, so it can reject the host during reauth if that IP Address is different than the one specified in the host's LDAP entry?

No.

With Wired/Wireless 802.1X/Mac-Auth authentication is performed first. Before authentication occurs all traffic (other than EAPOL frames, and wireless management frames) are blocked by the NAS. Once authentication completes the client uses DHCP to acquire an IP address.

Some NAS may offer a feature to inspect the SRC IP address of incoming frames after authentication completes.  It may then include that value in Accounting data which is sent after authentication completes.

The RADIUS server could then in theory use a PoD (RADIUS packet of disconnect) or SNMP to disconnect the client from the NAS if it determined it was using the incorrect IP address when it received one of those accounting packets. FreeRADIUS itself does not offer any user triggable events

For this it's sometimes better to use a quarantine VLAN and change that using SNMP, CoA, the Session-Timeout attribute, or PoD, once you're sure the client has the right IP.

There is no out of the box solution for this.  But FreeRADIUS does provide all the functionality you need.  You just need to tie it all together.

The solution you choose depends on your clients, your NAS, and the strictness of your policies.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team



More information about the Freeradius-Users mailing list