FreeRadius DHCP against LDAP

Nikolaos Milas nmilas at noa.gr
Fri Sep 13 19:19:24 CEST 2013 

On 31/8/2013 12:03 πμ, Arran Cudbard-Bell wrote:

>> 1. Is DHCP functionality supported against an LDAP Server (in v2.2.0)?
>
> Yes. 

I am having a hard time trying to adapt the example at: 
http://wiki.freeradius.org/guide/dhcp-for-static-ip-allocation to work 
from ldap.

We are starting from a point where we have an (LDAP) DIT branch 
ou=hosts,dc=example,dc=com, where hosts are stored (also used for 
MAC-Auth), using entries of the form:

dn: cn=host1.tech,ou=hosts,dc=example,dc=com
cn: host1.tech
objectClass: device
objectClass: ieee802Device
objectClass: top
objectClass: radiusprofile
objectClass: simpleSecurityObject
description: Main Workstation at Tech Dpt
ou: tech
l: Sierra Nevada
userPassword: test123
owner: cn=TechAdmins,ou=Groups,dc=example,dc=com
radiusTunnelMediumType: IEEE-802
radiusTunnelType: VLAN
radiusNASIpAddress: 10.10.10.125
radiusTunnelPrivateGroupId: 1
macAddress: 00:24:8b:3a:d1:db
radiusTerminationAction: 33
radiusHint: 50004
radiusFramedIPAddress: 10.10.10.63
radiusArapSecurity: 10.10.10.1
radiusArapZoneAccess: 255.255.255.128

We are attempting to assign the host (using DHCP) with the macAdress 
stored at macAddress attribute:

- the IP Address defined at radiusFramedIPAddress
- the gateway defined at radiusArapSecurity
- the mask defined at radiusArapZoneAccess

Can we use ldap calls (as when doing auth), in modules/ldap, like:

ldap ldap_dhcp {

         server = "localhost"

         identity = "uid=auth,ou=AdminAccounts,dc=example,dc=com"

         password = "mysecret"

         basedn = "ou=hosts,dc=example,dc=com"

         filter = "(macAddress=%{DHCP-Client-Hardware-Address})"

         start_tls = no

         dictionary_mapping = ${raddbdir}/ldap.attrmap

         ldap_connections_number = 2

         timeout = 4

         timelimit = 3

         net_timeout = 1

}


...having added in ldap.attr the following (using current unused 
freeradius schema attributes):

replyItem       DHCP-Subnet-Mask              radiusArapZoneAccess

replyItem       DHCP-Router-Address          radiusArapSecurity

replyItem       DHCP-Your-IP-Address         radiusFramedIPAddress


and then modify the example as follows:

     server dhcp {

         listen {

             type = dhcp

             ipaddr = 127.0.0.1

             port = 67

             interface = eth0

             broadcast = no

         }

         dhcp DHCP-Discover {

             ldap_dhcp

             update reply {

                 DHCP-Message-Type = DHCP-Offer

             }

             update reply {

                 DHCP-Domain-Name-Server := 10.10.10.90

                 DHCP-Domain-Name-Server := 10.10.10.91

}

ok

         }

         dhcp DHCP-Request {

             update reply {

                 DHCP-Message-Type = DHCP-Ack

             }

             ldap_dhcp

             update reply {
                 DHCP-Domain-Name-Server := 10.10.10.90
                 DHCP-Domain-Name-Server := 10.10.10.91
             }

             ok

         }

         dhcp {

             reject

         }

     }

...??

Is it correct as above? Do I have to call ldap_dhcp separately in each 
section (i.e. twice)?

Please clarify!

Regards,
Nick

More information about the Freeradius-Users mailing list