dhcp xlat for encoding DHCP options in RADIUS attributes
Nathan Ward
lists+freeradius at daork.net
Wed Mar 7 11:21:03 CET 2018
> On 6/03/2018, at 6:33 PM, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>
>
>
>> On Mar 6, 2018, at 9:06 AM, Nathan Ward <lists+freeradius at daork.net> wrote:
>>
>> Hi,
>>
>> I did a bit of digging around in the archives, I’m trying to do effectively what Peter was doing in this thread: http://lists.freeradius.org/pipermail/freeradius-devel/2013-April/007974.html
>> Actually not effectively, quite literally, for literally the same service offered by the same provider in the same market :)
>>
>> I am aware of dhcp_options xlat for *decoding* DHCP options. I am looking to encode DHCP options for transmitting to the NAS.
>>
>> I note that Arran has implemented an xlat called ‘dhcp’ since then, looks like it’s based on discussions from that thread, but I’m not sure how it should be used. I’ve defined some attributes similar to the thread above, but with the ‘dot notation’ format rather than the ‘BEGIN TLV’ type format. Additionally, I changed the type of ‘DHCP-Vendor’ to ‘tlv’. It was set to “octets # tlv”.. which I’m not sure how to interpret, but FreeRADIUS refused to start when it was set to that as the sub options expect it to be a TLV, which seems reasonable.
>> This is in my dictionary.dhcp, in amongst everything else - the first lines is modified as I describe above, the others are new.
>> ATTRIBUTE DHCP-Vendor 43 tlv
>> ATTRIBUTE DHCP-Vendor-URL 43.1 string
>> ATTRIBUTE DHCP-Vendor-Pass 43.2 string
>> ATTRIBUTE DHCP-Vendor-CPEID 43.253 string
>>
>>
>> If I do ‘ERX-Dhcp-Options = “0x%{dhcp:DHCP-Vendor-URL}”’ after setting DHCP-Vendor-URL, it tells me that it’s not a DHCP option, and I get an empty option. If I try set it to “0x%{dhcp:DHCP-Vendor}”, it gets set to empty, and it doesn’t get transmitted in the RADIUS packet. I have also tried things like %{dhcp:&DHCP-Vendor} and so on, but same result.
>
> You have the usage right, but the options need to be defined inside the DHCP dictionary (share/dictionary.dhcp) inside the vendor block. The vendor block was a hack to avoid implementing protocol specific dictionaries (which are a lot of effort).
Hi Arran,
I’ve got a couple of different syntaxes there - which is best - or are all OK?
A) ERX-Dhcp-Options = "0x%{dhcp:DHCP-Vendor-URL}%{dhcp:DHCP-Vendor-Pass}"
B) ERX-Dhcp-Options = "0x%{dhcp:DHCP-Vendor}"
C) ERX-Dhcp-Options = "0x%{dhcp:&DHCP-Vendor-URL}%{dhcp:&DHCP-Vendor-Pass}"
D) ERX-Dhcp-Options = "0x%{dhcp:&DHCP-Vendor}”
(A and C I’ve extrapolated a bit from the above, to what I presume is required for multiple options in one field, based on the original discussion for this feature in the referenced thread)
Re. The dictionary, that’s where I’ve got it.. if I understand what you mean by vendor block - I replaced the original DHCP-Vendor line with the above, and put the TLVs in immediately below it… so with a few lines of context above and below I’ve got:
VENDOR DHCP 54 format=2,1
BEGIN-VENDOR DHCP
… deleted lines ...
ATTRIBUTE DHCP-NIS-Domain-Name 40 string
ATTRIBUTE DHCP-NIS-Servers 41 ipaddr array
ATTRIBUTE DHCP-NTP-Servers 42 ipaddr array
# N Vendor Specific Information
ATTRIBUTE DHCP-Vendor 43 tlv
ATTRIBUTE DHCP-Vendor-URL 43.1 string
ATTRIBUTE DHCP-Vendor-Pass 43.2 string
ATTRIBUTE DHCP-Vendor-CPEID 43.253 string
ATTRIBUTE DHCP-NETBIOS-Name-Servers 44 ipaddr array
ATTRIBUTE DHCP-NETBIOS-Dgm-Dist-Servers 45 ipaddr array
ATTRIBUTE DHCP-NETBIOS-Node-Type 46 byte
… deleted lines …
END-VENDOR DHCP
<eof>
What I’ve found, is that I get a not a DHCP attribute error if I try:
ERX-Dhcp-Options = "0x%{dhcp:control:DHCP-Vendor-URL}”
But not if I try:
ERX-Dhcp-Options = "0x%{dhcp:DHCP-Vendor-URL}”
OR
ERX-Dhcp-Options = "0x%{dhcp:control:DHCP-Vendor}”
Obviously, I set them in the relevant correct places before these lines. I don’t understand why this is the case - it only seems like it doesn’t like control being there if it’s the TLV attributes, but the top level TLV works fine.. very odd.
You know what though, as I’m going through looking at this now, it looks as though this particular server is on 3.0.13, so let me correct that embarrassing oversight and get back you… Looking at the diffs between 3.0.13 and 3.0.16 I don’t see much difference related to this, but… let’s find out for sure.
--
Nathan Ward
More information about the Freeradius-Users
mailing list