Not trivial configuration of Freeradius as DHCP server

Vyacheslav Maliev vmaliev at gmail.com
Tue Mar 11 14:08:38 CET 2014


Hello! Thanks to all. Configuration example that`s i need, will try it.


2014-03-11 0:46 GMT+04:00 <freeradius-users-request at lists.freeradius.org>:

> Send Freeradius-Users mailing list submissions to
>         freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>         freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>         freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. Re: Not trivial configuration of Freeradius as DHCP server
>       (Tony DeMatteis)
>    2. Re: Old school:  FreeRADIUS and NIS (Alan DeKok)
>    3. Re: Old school:  FreeRADIUS and NIS (Alan DeKok)
>    4. Re: Old school:  FreeRADIUS and NIS (A.L.M.Buxey at lboro.ac.uk)
>    5. RE: Authorise based on Calling Station ID ?
>       (Darren Ward (darrward))
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 10 Mar 2014 13:07:37 -0700
> From: Tony DeMatteis <tonyd at commspeed.net>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: Not trivial configuration of Freeradius as DHCP server
> Message-ID: <531E1B89.4040007 at commspeed.net>
> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
>
> Hello,
>
> Took this snippet from what I'm doing which I got from a colleague who
> first pulled a working config together.  See where you can with this...
>
> 'dhcp' folder resides in raddb/dhcp and the dhcp-config.txt file is
> raddb/sites-available/dhcp
>
>
>
> # Main conf - dhcp-config.txt
>
> server dhcp {
>
>    client any {
>      ipaddr = 0.0.0.0
>      #netmask = 0
>      dhcp = yes
>    }
>
>    listen {
>      ipaddr = *
>      port = 67
>      type = dhcp
>    }
>
>    dhcp DHCP-Discover {
>      update reply {
>        DHCP-Message-Type = DHCP-Offer
>      }
>
>      switch "%{DHCP-Gateway-IP-Address}" {
>
>        case 192.168.60.1 {
>          $INCLUDE dhcp/pool_system1
>        }
>
>        case 10.20.0.1 {
>          $INCLUDE dhcp/pool_system2
>        }
>
>        case {
>          # Do not reply to DHCP requests from subnets
>          # which we are not authoriative
>          update reply {
>            DHCP-Message-Type !* 0
>          }
>          do_not_respond
>        }
>      }
>
>      #  Global DHCP parameters
>      $INCLUDE dhcp/global
>
>      dhcp_sqlippool
>
>      if(notfound || noop) {
>        reject
>      }
>
>      ok
>    }
>
>    dhcp DHCP-Request {
>      update reply {
>        DHCP-Message-Type = DHCP-Ack
>      }
>
>      switch "%{DHCP-Gateway-IP-Address}" {
>
>        case 192.168.10.1 {
>          $INCLUDE dhcp/pool_system1
>        }
>
>        case 10.20.0.1 {
>          $INCLUDE dhcp/pool_system2
>        }
>
>        case {
>          # Do not reply to DHCP requests from subnets
>          # which we are not authoriative
>          update reply {
>            DHCP-Message-Type !* 0
>          }
>          do_not_respond
>        }
>      }
>
>      #  Global DHCP parameters
>      $INCLUDE dhcp/global
>
>      dhcp_sqlippool
>
>      if(notfound || noop) {
>        reject
>      }
>
>      ok
>    }
>
>    dhcp DHCP-Inform {
>    }
>
>    #  If there's no named section for the packet type, then the packet
>    #  is processed through this section.
>    dhcp {
>      # send a DHCP NAK.
>      reject
>    }
> }
>
> # End main conf
>
> # Global Conf
> # ./dhcp/global.conf
> update reply {
>    DHCP-Domain-Name-Server = 8.8.8.8
>    DHCP-Domain-Name-Server += 8.8.4.4
>    DHCP-Domain-Name = "mydomain.com"
>    DHCP-DHCP-Server-Identifier = <dhcp-server-ip>
> }
>
> # System 1 devices - Cable Modems
> # ./dhcp/pool_system1.conf
> if(DHCP-Vendor-Class-Identifier =~ /^docsis[1-2].*$/){
>    update control {
>      Pool-Name := 'system_pool1'
>    }
> }
>
> # System 2 devices
> # ./dhcp/pool_system2.conf
> if(DHCP-Vendor-Class-Identifier){
>    update reply {
>      DHCP-Subnet-Mask = 255.255.255.0
>      DHCP-Router-Address = 10.20.0.1
>      DHCP-Broadcast-Address = 10.20.0.255
>      DHCP-IP-Address-Lease-Time = 3600
>    }
>    update control {
>      Pool-Name := 'system_pool2'
>    }
> }
>
>
>
>
> On 03/10/2014 12:38 PM, Alan DeKok wrote:
> > Vyacheslav Maliev wrote:
> >> Hello! I`ve tried to configure my freeradius installation like described
> >> here http://wiki.freeradius.org/guide/dhcp-for-static-ip-allocation
> >> but it`s very simple case for only one subnet. Now we have two networks
> >> which needs to get IP by DHCP server. So is there any possibility to
> >> configure DHCP scopes for different networks? Thanks!
> >    Yes.  It's not as easy as with a dedicated DHCP server.  You'll need
> > to split the packets, so that some use subnet A, and some use subnet B.
> >   Look at the packets (radiusd -X) to see how they're different.  Usually
> > there will be a gateway IP address different, or perhaps something else.
> >
> >    It's probably best to use groups to assign the network parameters.
> > e.g. use the radgroupcheck and radgroupreply tables.  For users in group
> > A, assign them options for network A, and users in group B should be
> > assigned options in network B.
> >
> >    i.e. separate the *common* configuration into group parameters.  Thenm
> > each user should have only user-specific parameters.  e.g. an IP
> > address, and a group membership.
> >
> >    For v3.1, we're looking at maybe coming up with DHCP-specific queries
> > for SQL.  But getting help from other people would be useful, too.
> >
> >    Alan DeKok.
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140310/b8edb1a8/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Mon, 10 Mar 2014 16:18:57 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Old school:  FreeRADIUS and NIS
> Message-ID: <531E1E31.7050809 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Arran Cudbard-Bell wrote:
> > An excerpt from the Fedora list:
>
>   It's nice to see he's getting the same answers from others.
>
>   i.e. the problem isn't us.
>
> >     > Thing is, based on my searching, getting FreeRADIUS to work with
> NIS
> >     > isn't possible.  At least I've found no documentation on how to
> make
> >     > it work.  There's tons on getting it to work with LDAP, but not
> NIS.
> >     > Which is the reason for my OP.
>
>   I fail to see what the problem is.  NIS is just a way of adding more
> back-ends to getpwent() and getspwent().  The applications using those
> function calls don't need to do anything.
>
>   i.e. to "integrate" FreeRADIUS with NIS, you just configure NIS.
> Then, use the "unix" module in FreeRADIUS, in the "authenticate"
> section.  The module will do PAP checks by using getspwent() to get the
> crypt'd password.
>
>   *Where* that crypt'd password comes from is for NIS to determine.
> FreeRADIUS (and the Unix module) doesn't need to do anything.
>
>   His question amounts to "how do I get FreeRADIUS to read files from
> MySQL, where MySQL is using ext4 instead of ext3".  The answer is "you
> don't".  FreeRADIUS interacts with X, and X does it's magic.  What's
> *behind* X doesn't matter.
>
>   Either NIS works, and getspwent() returns something useful, or NIS
> doesn't work, and getspwent() doesn't return anything.   Maybe running
> FreeRADIUS as "root" will help.  But if that doesn't work, then the
> problem is NIS (or something else), *not* FreeRADIUS.
>
>   And yes, this is one of my common answers.  It's why my answers are
> seen as "unhelpful".  I talk about the *cause* of the problem, not the
> *symptom*.  Very often, the cause of the problem is a something external
> to FreeRADIUS.  The symptom is that FreeRADIUS doesn't work the way you
> want, but that's just a symptom.
>
>   Sadly, some people *refuse* to understand this.
>
>   Alan DeKok.
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 10 Mar 2014 16:22:03 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Old school:  FreeRADIUS and NIS
> Message-ID: <531E1EEB.8010605 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Adam Bishop wrote:
> > I suspect the problem here is either SELinux or the shadow group not
> existing.
>
>   Quote possibly.
>
> > RHEL doesn't have a shadow group by default - as it's a nasty hack and
> potential source of vulnerability, you're expected to have the sense to
> create it yourself if its needed.
>
>   That's unfriendly.  Oh well.
>
> > It's also tagged with a unique policy type:
> >
> >   [root at orps1 ~]# ls -alZ /etc/shadow
> >   ----------. root root system_u:object_r:shadow_t:s0    /etc/shadow
> >
> > Which I *think* would cause an AVC denial.
>
>   Yes.
>
> > Then there's the small matter of /etc/shadow having no permission mask
> by default.
>
>   Arg.  That's Unix 101 debugging, TBH.  Track down the root cause of
> the problem, and fix it.
>
> > But someone who's been doing this for a long time would have checked
> such things, or even provided us with the output of strace, right? :)
>
>   Yes.  The people who claim decades of experience usually don't follow
> standard practices.  The people who have decades of experience just get
> follow standard practice, and things done.
>
>   Alan DeKok.
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 10 Mar 2014 20:42:57 +0000
> From: A.L.M.Buxey at lboro.ac.uk
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Old school:  FreeRADIUS and NIS
> Message-ID: <20140310204257.GC4519 at lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> > I don't think I've ever flamed anyone in my life, but now I believe I
> > have to.
>
> oh..this is going to be interesting... just grabbing the popcorn and
> cola ready for the show!  :-)
>
> <snip> oh...that wasnt a flame!
>
> disappointed...the rest of the popcron is going away now and the colas
> going to be flat for when its needed :(
>
> > Radiusd.conf DOES NOT talk about issues with reading /etc/shadow.
> > ANYWHERE.  PERIOD.
>
> ..do you mean this bit of radiusd.conf:
>
> #  On systems with shadow passwords, you might have to set 'group = shadow'
> #  for the server to be able to read the shadow password file.  If you can
> #  authenticate users while in debug mode, but not in daemon mode, it may
> be
> #  that the debugging mode server is running as a user that can read the
> #  shadow info, and the user listed below can not.
>
> ?  seems clear to me.
>
> > And due to that 'take two steps forward and half-dozen back', I've
> > made it clear to my boss that FreeRADIUS, while it may work just fine,
>
> lets hope I dont come across the contact details for your boss ;-)
>
> alan
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 10 Mar 2014 20:46:19 +0000
> From: "Darren Ward (darrward)" <darrward at cisco.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: RE: Authorise based on Calling Station ID ?
> Message-ID:
>         <5D5ED6338DFDB54B8E876331223AEE2D1F88F871 at xmb-rcd-x10.cisco.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi Alan
>
> I guess the question is because the accounting files are the only place
> that contains both the calling-station-id and username how can I write
> unlang in the authorise that would be able to look up the active session to
> match the mac address?
>
> i.e. I would need to parse the accounting files for the mac address and
> find the matching username then look up the username in the 'users' file to
> authorise with the appropriate attributes
>
> I'm not sure how to do that lookup of files or cache
>
> Darren
>
> -----Original Message-----
> From: freeradius-users-bounces+darrward=cisco.com at lists.freeradius.org[mailto:
> freeradius-users-bounces+darrward=cisco.com at lists.freeradius.org] On
> Behalf Of Alan DeKok
> Sent: Monday, 10 March 2014 11:11 PM
> To: FreeRadius users mailing list
> Subject: Re: Authorise based on Calling Station ID ?
>
> Darren Ward (darrward) wrote:
> > The mac address was sent by the wifi controller as the
> > calling-station-id but the question is how do I match that field
> > against the user to authorise them?
>
> $ man unlang
>
>   It tells you how to do if/then/else checks.
>
>   Perhaps you have a more specific question?
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> End of Freeradius-Users Digest, Vol 107, Issue 42
> *************************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140311/cd447e8d/attachment-0001.html>


More information about the Freeradius-Users mailing list