DHCP and Option 82
Daniel Ryšlink
ryslink at dialtelecom.cz
Fri Feb 23 15:57:27 CET 2018
Hello!
Thank you once again for you patience and most helpful insights!
Basically, the scenario is this - there is a number of ADSL modems in a
network connecting to a BRAS (Juniper MX104 in this case), and I have to
set up a Radius and a DHCP server.
For each user trying to connect, the BRAS sends a Access-Request packet,
and receives a reply that looks like this (I can supply full dumps of
both Radius and DHCP packets from my testing lab, if requested):
Received Access-Accept Id 45 from 127.0.0.1:1812 to 0.0.0.0:0 length 78
ERX-Ingress-Policy-Name = "FF-1M"
ERX-CoS-Shaping-Pmt-Type = "T02 2m"
ERX-CoS-Scheduler-Pmt-Type = "VOIP-SCH T10 100k"
Basically, the reply tells the BRAS how to parametrize the connection -
speed, shaping, etc. This information is taken from a Livingstone-style
users file generated from a backend database of clients - that all works
already. A sample of one entry:
Gi0/19:10.010B465454582D535749544348 Cleartext-Password :=
"juniper-bng1", Pool-Name := "hohola"
ERX-Ingress-Policy-Name := FF-1M,
ERX-CoS-Shaping-Pmt-Type = "T02 2m",
ERX-Cos-Scheduler-Pmt-Type = "VOIP-SCH T10 100k"
Following that, the user modem sends a DHCP-Discover packet and should
receive configuration options from my DHCP server containing IP adress
and other values like netmask, gateway, etc.
The DHCP server runs as a virtual server in Radius - even that works,
the DHCP server responds and sends all the configuration items except
DHCP-Your-IP-Address - the address assigned to the client, there is
always 0.0.0.0
I have tried using both the dhcp_sqlippool module, creating the database
radius with a table radippool:
+----+-----------+-----------------+---------------+-----------------+------------------+---------------------+--------------------------------------------------+----------+
| id | pool_name | framedipaddress | nasipaddress | calledstationid |
callingstationid | expiry_time |
username | pool_key |
+----+-----------+-----------------+---------------+-----------------+------------------+---------------------+--------------------------------------------------+----------+
| 1 | hohola | 10.10.100.130 | 192.168.1.254 |
| | 2018-02-19 18:20:50 |
0x4769302f31393a31300x010b465454582d535749544348 | |
| 4 | hohola | 10.10.100.120 | 192.168.1.254 |
| | 2018-02-19 17:57:49 |
0x4769302f31373a31300x010b465454582d535749544348 | |
+----+-----------+-----------------+---------------+-----------------+------------------+---------------------+--------------------------------------------------+----------+
I have also tried using configuring that passwd module to interpret a
password-style file as a database, as I have described in my previous mail.
Basically, what I cannot seem to solve is to make the DHCP server
correctly reply to DHCP-Discover and DHCP-Request packets with an IP
address from a static table ( be it a SQL table or a file, that does not
matter, I can convert the source information into any format required).
As for using the passwd module and failure to hash the file, you are
absolutely right - there was a typo in the path to the file, which was a
rather silly mistake, I apologize.
However, upon correcting the typo, I am receiving a fresh, new error
message:
rlm_passwd: unable to resolve attribute:
%{DHCP-Relay-Circuit-Id};*{DHCP-Relay-Remote-Id};=DHCP-Your-IP-Address
/etc/freeradius/3.0/mods-enabled/opt82toip[21]: Instantiation failed for
module "opt82toip"
I tried multiple way of formatting the information:
format =
"*DHCP-Relay-Circuit-Id;*DHCP-Relay-Remote-Id;=DHCP-Your-IP-Address"
format =
"*%{DHCP-Relay-Circuit-Id};*%{DHCP-Relay-Remote-Id};=DHCP-Your-IP-Address"
format =
"*%{dhcp_options:<Circuit-ID>};*%{dhcp_options:<Agent-ID>};=DHCP-Your-IP-Address"
Yet once again, without success.
Once again, any comments will be most appreciated.
--
S pozdravem,
Daniel Ryšlink
System Administrator
Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
daniel.ryslink at dialtelecom.cz
-----------------------------------------------
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
-----------------------------------------------
On 23.2.2018 14:15, Alan DeKok wrote:
> On Feb 23, 2018, at 7:37 AM, Daniel Ryšlink <ryslink at dialtelecom.cz> wrote:
>>> You can edit those files to do IP pool assignment for DHCP, using the relay options.
>> Okay, but how do I do that? I have read the files you mention multiple times already, they contain nothing relevant to the subject of decoding the option 82 information and using them as a key in IP pool assignment.
> The configuration files do not contain examples of every possible configuration. That's just impossible to do.
>
> They *do* contain examples of how to use information in the packet to assign IP addresses. For example, you can read this file: raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf
>
> It contains not only the queries, but comments that document what each query does. It isn't difficult to edit those queries to key off of another attribute, instead of Calling-Station-Id.
>
>> I understand that I cannot rewrite the existing Calling-Station-Id ,
> Why not? If you're doing DHCP, there's no Calling-Station-Id attribute in the DHCP packet.
>
> Or are you doing RADIUS? Please explain...
>
>> but there should be a way of passing a string composed of %{dhcp_options:<Circuit-ID>}%{dhcp_options:<Agent-ID>} to the dhcp_sqlippool module that would use it as a key and assign an IP address from a matching database row - this must be like the most standard thinkable usage scenario, so how comes a clear example of working configuration I could use?
> You're free to figure it out and update the documentation on the wiki.
>
>> Something like this:
>>
>> http://freeradius.1045715.n5.nabble.com/Not-trivial-configuration-of-Freeradius-as-DHCP-server-td5725623.html
>>
>> but involving the option 82? I tried to Google it, but did not find anything at all.
> You're looking at the wrong thing. You simply CANNOT "google for the thing that answers all of my questions". FreeRADIUS is complex enough that it's *impossible* to provide pre-packaged solutions for every possible question.
>
> Instead, you have to *understand* how things work, and then create a custom solution for your custom environment. We can help with that, of course.
>
>> There is apparently also the mods-avaliable/dhcp file that should allow it somehow, but once again, there is no example of use.
> There is documentation that describes what the module does.
>
>> Never mind, I have also noticed that the module mac2ip piggy-backs the password module to interpret a text file as a database to assign IP addresses using the MAC address of the Calling Station as a key. I tried to use it to do the same, only using the %{dhcp_options:<Circuit-ID>}%{dhcp_options:<Agent-ID>} string as a key, so I created this file (the character ; is used as a delimiter):
>>
>> /etc/freeradius/3.0/mods-config/dhcp/opt82toip:
>>
>> 0x4769302f31373a3130;0x010b465454582d535749544348;10.10.100.130 0x4769302f31373a3130;0x010b465454582d535749544348;10.10.100.120
> That may work...
>
>> However, when I try to start Freeradius, I get:
>>
>> rlm_passwd: can't build hashtable from passwd file
>> /etc/freeradius/3.0/mods-enabled/opt82toip[21]: Instantiation failed for module "opt82toip"
>>
>> However, I don't need to hash the file
> <sigh> The module is building a hash table internally, so that it doesn't need to read the file every time.
>
>> (it's not a password file after all),
> And similarly, the module is the "passwd" module, which reads "passwd" style files. So the messages it prints out are about "passwd" style files.
>
> Please put the pieces together to understand what's going on.
>
>> I just want it interpretted as a database with the first two fields as a compound key and the third field as a value that would be returned upon match. Is it possible to do it?
> That's what the module does. A "database" often uses hash tables internally to track data.
>
> That error probably means that FreeRADIUS can't read the file. Make sure that's allowed.
>
> Alan DeKok.
>
>
More information about the Freeradius-Users
mailing list