Not trivial configuration of Freeradius as DHCP server
Vyacheslav Maliev
vmaliev at gmail.com
Tue Mar 11 14:08:38 CET 2014
Hello! Thanks to all. Configuration example that`s i need, will try it.
2014-03-11 0:46 GMT+04:00 <freeradius-users-request at lists.freeradius.org>:
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Not trivial configuration of Freeradius as DHCP server
> (Tony DeMatteis)
> 2. Re: Old school: FreeRADIUS and NIS (Alan DeKok)
> 3. Re: Old school: FreeRADIUS and NIS (Alan DeKok)
> 4. Re: Old school: FreeRADIUS and NIS (A.L.M.Buxey at lboro.ac.uk)
> 5. RE: Authorise based on Calling Station ID ?
> (Darren Ward (darrward))
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 10 Mar 2014 13:07:37 -0700
> From: Tony DeMatteis <tonyd at commspeed.net>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: Not trivial configuration of Freeradius as DHCP server
> Message-ID: <531E1B89.4040007 at commspeed.net>
> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
>
> Hello,
>
> Took this snippet from what I'm doing which I got from a colleague who
> first pulled a working config together. See where you can with this...
>
> 'dhcp' folder resides in raddb/dhcp and the dhcp-config.txt file is
> raddb/sites-available/dhcp
>
>
>
> # Main conf - dhcp-config.txt
>
> server dhcp {
>
> client any {
> ipaddr = 0.0.0.0
> #netmask = 0
> dhcp = yes
> }
>
> listen {
> ipaddr = *
> port = 67
> type = dhcp
> }
>
> dhcp DHCP-Discover {
> update reply {
> DHCP-Message-Type = DHCP-Offer
> }
>
> switch "%{DHCP-Gateway-IP-Address}" {
>
> case 192.168.60.1 {
> $INCLUDE dhcp/pool_system1
> }
>
> case 10.20.0.1 {
> $INCLUDE dhcp/pool_system2
> }
>
> case {
> # Do not reply to DHCP requests from subnets
> # which we are not authoriative
> update reply {
> DHCP-Message-Type !* 0
> }
> do_not_respond
> }
> }
>
> # Global DHCP parameters
> $INCLUDE dhcp/global
>
> dhcp_sqlippool
>
> if(notfound || noop) {
> reject
> }
>
> ok
> }
>
> dhcp DHCP-Request {
> update reply {
> DHCP-Message-Type = DHCP-Ack
> }
>
> switch "%{DHCP-Gateway-IP-Address}" {
>
> case 192.168.10.1 {
> $INCLUDE dhcp/pool_system1
> }
>
> case 10.20.0.1 {
> $INCLUDE dhcp/pool_system2
> }
>
> case {
> # Do not reply to DHCP requests from subnets
> # which we are not authoriative
> update reply {
> DHCP-Message-Type !* 0
> }
> do_not_respond
> }
> }
>
> # Global DHCP parameters
> $INCLUDE dhcp/global
>
> dhcp_sqlippool
>
> if(notfound || noop) {
> reject
> }
>
> ok
> }
>
> dhcp DHCP-Inform {
> }
>
> # If there's no named section for the packet type, then the packet
> # is processed through this section.
> dhcp {
> # send a DHCP NAK.
> reject
> }
> }
>
> # End main conf
>
> # Global Conf
> # ./dhcp/global.conf
> update reply {
> DHCP-Domain-Name-Server = 8.8.8.8
> DHCP-Domain-Name-Server += 8.8.4.4
> DHCP-Domain-Name = "mydomain.com"
> DHCP-DHCP-Server-Identifier = <dhcp-server-ip>
> }
>
> # System 1 devices - Cable Modems
> # ./dhcp/pool_system1.conf
> if(DHCP-Vendor-Class-Identifier =~ /^docsis[1-2].*$/){
> update control {
> Pool-Name := 'system_pool1'
> }
> }
>
> # System 2 devices
> # ./dhcp/pool_system2.conf
> if(DHCP-Vendor-Class-Identifier){
> update reply {
> DHCP-Subnet-Mask = 255.255.255.0
> DHCP-Router-Address = 10.20.0.1
> DHCP-Broadcast-Address = 10.20.0.255
> DHCP-IP-Address-Lease-Time = 3600
> }
> update control {
> Pool-Name := 'system_pool2'
> }
> }
>
>
>
>
> On 03/10/2014 12:38 PM, Alan DeKok wrote:
> > Vyacheslav Maliev wrote:
> >> Hello! I`ve tried to configure my freeradius installation like described
> >> here http://wiki.freeradius.org/guide/dhcp-for-static-ip-allocation
> >> but it`s very simple case for only one subnet. Now we have two networks
> >> which needs to get IP by DHCP server. So is there any possibility to
> >> configure DHCP scopes for different networks? Thanks!
> > Yes. It's not as easy as with a dedicated DHCP server. You'll need
> > to split the packets, so that some use subnet A, and some use subnet B.
> > Look at the packets (radiusd -X) to see how they're different. Usually
> > there will be a gateway IP address different, or perhaps something else.
> >
> > It's probably best to use groups to assign the network parameters.
> > e.g. use the radgroupcheck and radgroupreply tables. For users in group
> > A, assign them options for network A, and users in group B should be
> > assigned options in network B.
> >
> > i.e. separate the *common* configuration into group parameters. Thenm
> > each user should have only user-specific parameters. e.g. an IP
> > address, and a group membership.
> >
> > For v3.1, we're looking at maybe coming up with DHCP-specific queries
> > for SQL. But getting help from other people would be useful, too.
> >
> > Alan DeKok.
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140310/b8edb1a8/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Mon, 10 Mar 2014 16:18:57 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Old school: FreeRADIUS and NIS
> Message-ID: <531E1E31.7050809 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Arran Cudbard-Bell wrote:
> > An excerpt from the Fedora list:
>
> It's nice to see he's getting the same answers from others.
>
> i.e. the problem isn't us.
>
> > > Thing is, based on my searching, getting FreeRADIUS to work with
> NIS
> > > isn't possible. At least I've found no documentation on how to
> make
> > > it work. There's tons on getting it to work with LDAP, but not
> NIS.
> > > Which is the reason for my OP.
>
> I fail to see what the problem is. NIS is just a way of adding more
> back-ends to getpwent() and getspwent(). The applications using those
> function calls don't need to do anything.
>
> i.e. to "integrate" FreeRADIUS with NIS, you just configure NIS.
> Then, use the "unix" module in FreeRADIUS, in the "authenticate"
> section. The module will do PAP checks by using getspwent() to get the
> crypt'd password.
>
> *Where* that crypt'd password comes from is for NIS to determine.
> FreeRADIUS (and the Unix module) doesn't need to do anything.
>
> His question amounts to "how do I get FreeRADIUS to read files from
> MySQL, where MySQL is using ext4 instead of ext3". The answer is "you
> don't". FreeRADIUS interacts with X, and X does it's magic. What's
> *behind* X doesn't matter.
>
> Either NIS works, and getspwent() returns something useful, or NIS
> doesn't work, and getspwent() doesn't return anything. Maybe running
> FreeRADIUS as "root" will help. But if that doesn't work, then the
> problem is NIS (or something else), *not* FreeRADIUS.
>
> And yes, this is one of my common answers. It's why my answers are
> seen as "unhelpful". I talk about the *cause* of the problem, not the
> *symptom*. Very often, the cause of the problem is a something external
> to FreeRADIUS. The symptom is that FreeRADIUS doesn't work the way you
> want, but that's just a symptom.
>
> Sadly, some people *refuse* to understand this.
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 10 Mar 2014 16:22:03 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Old school: FreeRADIUS and NIS
> Message-ID: <531E1EEB.8010605 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Adam Bishop wrote:
> > I suspect the problem here is either SELinux or the shadow group not
> existing.
>
> Quote possibly.
>
> > RHEL doesn't have a shadow group by default - as it's a nasty hack and
> potential source of vulnerability, you're expected to have the sense to
> create it yourself if its needed.
>
> That's unfriendly. Oh well.
>
> > It's also tagged with a unique policy type:
> >
> > [root at orps1 ~]# ls -alZ /etc/shadow
> > ----------. root root system_u:object_r:shadow_t:s0 /etc/shadow
> >
> > Which I *think* would cause an AVC denial.
>
> Yes.
>
> > Then there's the small matter of /etc/shadow having no permission mask
> by default.
>
> Arg. That's Unix 101 debugging, TBH. Track down the root cause of
> the problem, and fix it.
>
> > But someone who's been doing this for a long time would have checked
> such things, or even provided us with the output of strace, right? :)
>
> Yes. The people who claim decades of experience usually don't follow
> standard practices. The people who have decades of experience just get
> follow standard practice, and things done.
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 10 Mar 2014 20:42:57 +0000
> From: A.L.M.Buxey at lboro.ac.uk
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Old school: FreeRADIUS and NIS
> Message-ID: <20140310204257.GC4519 at lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> > I don't think I've ever flamed anyone in my life, but now I believe I
> > have to.
>
> oh..this is going to be interesting... just grabbing the popcorn and
> cola ready for the show! :-)
>
> <snip> oh...that wasnt a flame!
>
> disappointed...the rest of the popcron is going away now and the colas
> going to be flat for when its needed :(
>
> > Radiusd.conf DOES NOT talk about issues with reading /etc/shadow.
> > ANYWHERE. PERIOD.
>
> ..do you mean this bit of radiusd.conf:
>
> # On systems with shadow passwords, you might have to set 'group = shadow'
> # for the server to be able to read the shadow password file. If you can
> # authenticate users while in debug mode, but not in daemon mode, it may
> be
> # that the debugging mode server is running as a user that can read the
> # shadow info, and the user listed below can not.
>
> ? seems clear to me.
>
> > And due to that 'take two steps forward and half-dozen back', I've
> > made it clear to my boss that FreeRADIUS, while it may work just fine,
>
> lets hope I dont come across the contact details for your boss ;-)
>
> alan
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 10 Mar 2014 20:46:19 +0000
> From: "Darren Ward (darrward)" <darrward at cisco.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: RE: Authorise based on Calling Station ID ?
> Message-ID:
> <5D5ED6338DFDB54B8E876331223AEE2D1F88F871 at xmb-rcd-x10.cisco.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi Alan
>
> I guess the question is because the accounting files are the only place
> that contains both the calling-station-id and username how can I write
> unlang in the authorise that would be able to look up the active session to
> match the mac address?
>
> i.e. I would need to parse the accounting files for the mac address and
> find the matching username then look up the username in the 'users' file to
> authorise with the appropriate attributes
>
> I'm not sure how to do that lookup of files or cache
>
> Darren
>
> -----Original Message-----
> From: freeradius-users-bounces+darrward=cisco.com at lists.freeradius.org[mailto:
> freeradius-users-bounces+darrward=cisco.com at lists.freeradius.org] On
> Behalf Of Alan DeKok
> Sent: Monday, 10 March 2014 11:11 PM
> To: FreeRadius users mailing list
> Subject: Re: Authorise based on Calling Station ID ?
>
> Darren Ward (darrward) wrote:
> > The mac address was sent by the wifi controller as the
> > calling-station-id but the question is how do I match that field
> > against the user to authorise them?
>
> $ man unlang
>
> It tells you how to do if/then/else checks.
>
> Perhaps you have a more specific question?
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> End of Freeradius-Users Digest, Vol 107, Issue 42
> *************************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140311/cd447e8d/attachment-0001.html>
More information about the Freeradius-Users
mailing list