DHCP server failing to add ARP entry?

Toby Walsh walshtj at gmail.com
Mon Nov 7 00:26:22 CET 2016

Thanks Alan.

So given you've established I'm on Linux I'm sure I'm trying to set up
a fairly vanilla configuration from that perspective: Freeradius with
mysql and DHCP? Surely there are many, many others who have this
successfully working. My network configuration looks like this:

ESXi Freeradius on Linux VM <- ESXi pfSense VM -> Unifi switch on
pfSense LAN -> Unifi AP -> Client test device

At the stage of failure to write the ARP entry, the device has
requested an IP via DHCP. It's passed successfully down the chain to
FR but for whatever reason hits a branch of dhcpd.c where something is
wrong and it fails. It seems when I try to mess directly with arp from
the command line it's difficult to trigger "operation not permitted"
besides trying to interact with it with insufficient privileges. But
I'm wondering if it is possible that some of the parameters passed to
fr_dhcp_add_arp_entry are incorrect in such a way as to trigger a
permission error?

The end goal for me is to have:

(i) client devices receive IP addresses from a server
(ii) be EAP authorised from a server
(iii) be assigned a VLAN (or some other way to be able to easily
filter groups of devices through firewall rules/schedules in pfSense
or otherwise).

It seems FR does all I need in theory, I'm just struggling to set it
up correctly. I can get the server working with (ii) no problem. I can
get it assigning attributes such that (iii) should work, although
pfSense is not receiving the tagged attributes despite the Unifi stuff
configured to pass it on. With your help I got (i) and (ii) to both
serve at the same time through two sql modules. Now I'm just trying to
get (i) to succeed, then I can work on (iii). If (iii) doesn't work I
can try another approach, which is set up multiple wlan networks on
the Unifi and filter/schedule through those and use FR to authorise
access to specific ssids only for certain clients.

The big question I guess is your comment about virtual switches -
maybe that actually is causing me problems with (i). But given my
complete lack of networking knowledge I would not at all be surprised
that I've just configured my DHCP server incorrectly (source IP,
router address, server address, subnet mask, whatever).


On 6 November 2016 at 21:52, Alan DeKok <aland at deployingradius.com> wrote:
> On Nov 6, 2016, at 8:47 AM, Toby Walsh <walshtj at gmail.com> wrote:
>> They're communicating through a virtual switch, so I want them on the same
>> subnet but different hosts/IPs (with everything on my network
>> served/configured hopefully by FR/mysql and routed by pfSense).
>   Hmm... that might work.  I've had issues with virtual switches, tho.

More information about the Freeradius-Users mailing list