FreeRADIUS 4: DHCP v4: ERROR: Expansion "network" needs to be resolved before it is used
Dima Ermakov
demonihin at gmail.com
Mon Nov 11 12:47:11 UTC 2024
I tried the "files" approach for now with the ' key = "%{Network-Subnet}" '
please take a look below:
If I add in "files":
"""
192.168.10.0/24
Router-Address := 192.168.10.1,
Subnet-Mask := 255.255.255.0,
Broadcast-Address := 192.168.10.255,
Domain-Name-Server := 192.168.20.2
"""
then the result is "noop", no match which makes sense to me:
"""
proto_dhcpv4_udp - Received Discover XID 2b863239 length 300
dhcpv4_udp server * port 67
(1) dhcp {
(1) Received Discover XID 2b863239 from 192.168.30.1:49373 to
192.168.19.55:67 via ens192
(1) Opcode = Client-Message
(1) Hardware-Type = Ethernet
(1) Hardware-Address-Length = 6
(1) Hop-Count = 1
(1) Transaction-Id = 730214969
(1) Number-of-Seconds = 0
(1) Flags = 0
(1) Client-IP-Address = 0.0.0.0
(1) Your-IP-Address = 0.0.0.0
(1) Server-IP-Address = 0.0.0.0
(1) Gateway-IP-Address = 192.168.10.1
(1) Client-Hardware-Address = 52:54:00:d8:4e:4e
(1) Message-Type = Discover
(1) Hostname = "vyos"
(1) Parameter-Request-List = Subnet-Mask
(1) Parameter-Request-List = Broadcast-Address
(1) Parameter-Request-List = Time-Offset
(1) Parameter-Request-List = Router-Address
(1) Parameter-Request-List = Domain-Name
(1) Parameter-Request-List = Domain-Name-Server
(1) Parameter-Request-List = Domain-Search
(1) Parameter-Request-List = Hostname
(1) Parameter-Request-List = NETBIOS-Name-Servers
(1) Parameter-Request-List = NETBIOS
(1) Parameter-Request-List = Interface-MTU-Size
(1) Parameter-Request-List = Classless-Static-Route
(1) Parameter-Request-List = NTP-Servers
(1) Client-Identifier = 0xff00d84e4e000100012ec4b0ce525400d84e4e
(1) Relay-Agent-Information {
(1) Circuit-Id = 0x65746831
(1) }
(1) Network-Subnet = 192.168.10.1/32
(1) Net {
(1) Src {
(1) IP = 192.168.30.1
(1) Port = 49373
(1) }
(1) Dst {
(1) IP = 192.168.19.55
(1) Port = 67
(1) }
(1) Timestamp = "2024-11-11T12:21:46Z"
(1) }
(1) Packet-Type = Discover
(1) Running 'recv Discover' from file /etc/raddb/sites-enabled/dhcp
(1) recv Discover {
(1) files_dhcp_network - | Network-Subnet
(1) files_dhcp_network - | %{Network-Subnet}
(1) files_dhcp_network - | --> 192.168.10.1/32
(1) files_dhcp_network - Looking for key "192.168.10.1/32"
(1) files_dhcp_network - files_dhcp_network (noop)
(1) } # recv Discover (noop)
(1) Not sending reply to client
(1) dhcp (noop)
(1) } # dhcp (noop)
(1) Done request
(1) Finished request
"""
>From the debug above I assume that the DHCP relay adds Relay agent IP
from the interface to which it received the DHCP Discover broadcast
(192.168.10.1 in this case)
which is then stored in FreeRADIUS request context in "Network-Subnet"
as "192.168.10.1/32" ipaddr.
For another test (option 2):
If I add in "files":
"""
192.168.10.1/32
Router-Address := 192.168.10.1,
Subnet-Mask := 255.255.255.0,
Broadcast-Address := 192.168.10.255,
Domain-Name-Server := 192.168.20.2
"""
then the match is found and it is what I want to have:
"""
(1) recv Discover {
(1) files_dhcp_network - | Network-Subnet
(1) files_dhcp_network - | %{Network-Subnet}
(1) files_dhcp_network - | --> 192.168.10.1/32
(1) files_dhcp_network - Looking for key "192.168.10.1/32"
(1) files_dhcp_network - Found match "192.168.10.1/32" on line 35
of /etc/raddb/mods-config/files_dhcp/dhcp_config_networks
(1) files_dhcp_network - Preparing attribute updates:
(1) &Router-Address := 192.168.10.1
(1) &Subnet-Mask := 255.255.255.0
(1) &Broadcast-Address := 192.168.10.255
(1) &Domain-Name-Server := 192.168.20.2
(1) files_dhcp_network - files_dhcp_network (ok)
(1) } # recv Discover (ok)
"""
>From the attempts above I think that the "option 2" will work well for me.
Still, it is a bit inconvenient to configure the DHCP relay agent
"receiving" interface in the FreeRADIUS configuration (192.168.10.1/32
in this case).
It would be nice to be able to match by network prefix, so that "any"
DHCP relay agent IP from the prefix 192.168.10.0/24 would match some
section.
It is probably possible via unlang (something like foreach loop + IP
address to network prefix comparison
[https://www.freeradius.org/documentation/freeradius-server/4.0.0/reference/unlang/condition/cmp.html#_ip_address_comparisons])
but I need to read more to understand "if" and "how".
Thank you very much!
// Dmitrii.
On Mon, 11 Nov 2024 at 12:27, Alan DeKok <aland at deployingradius.com> wrote:
>
> On Nov 11, 2024, at 4:00 AM, Dima Ermakov <demonihin at gmail.com> wrote
> > Thank you for your explanations.
> > I am sorry for being annoying but I am still somewhat lost.
>
>
> > I will try to explain what I want to achieve using an example below:
> >
> > Here is a network description (all network numbers are imaginary):
> >
> > VLAN 10 (192.168.10.0/24, default gateway 192.168.10.1, DNS server
> > 192.168.20.2, DHCP relay 192.168.10.1).
> > VLAN 20 (192.168.20.0/24, default gateway 192.168.20.1, DNS server
> > 192.168.20.2, DHCP relay 192.168.20.1).
> > VLAN 30 (192.168.30.0/24, default gateway 192.168.30.1, DNS server
> > 192.168.20.2, DHCP relay 192.168.30.1).
>
> OK.
>
> > The FreeRADIUS is in VLAN 30, 192.168.30.5.
> >
> > VLAN 10 and VLAN 20 are connected via a switch with layer 3 support
> > and DHCP relay.
> > The DHCP relay is configured to send DHCP packets to the FreeRADIUS IP
> > + add the GIADDR IP address of the interface to which the relay
> > receives DHCP packets (Gateway-IP-Address in FreeRADIUS as far as I
> > understand).
> >
> > The goal is to configure FreeRADIUS to offer IP addresses via DHCP for
> > networks VLAN 10 and VLAN 20.
>
> Does the gateway send VLAN information in the DHCP packets? i.e. how does FreeRADIUS know which VLAN is in use?
>
> As always... read the debug output.
>
> > The networks 192.168.10.0/24 and 192.168.20.0/24 should have different
> > default gateways but the same DNS settings.
>
> You can configure any options you want in the reply.
>
> > Also, I would like to have the network-specific settings in some kind
> > of text files and not SQL database (if possible) to be able to use
> > external tools to generate (template) the files (expected number of
> > network prefixes is about 300).
>
> That's fine,
>
> > For the FreeRADIUS 3 one of the recommendations was to use "files"
> > module with configuration in the "files" similar to (
> > https://www.freeradius.org/documentation/freeradius-server/3.2.5/howto/protocols/dhcp/policy_network_options.html
> > ):
>
> Yes... there's no need to keep posting that link. You already did that. Posting it again and again doesn't help.
>
> > """
> > network DHCP-Network-Subnet < 192.168.10.0/24
> > DHCP-Subnet-Mask := 255.255.255.0,
> > DHCP-Router-Address := 192.168.10.1,
> > DHCP-Domain-Name-Server := 192.168.20.2,
> > DHCP-IP-Address-Lease-Time := 7200
> >
> >
> > network DHCP-Network-Subnet < 192.168.20.0/24
> > DHCP-Subnet-Mask := 255.255.255.0,
> > DHCP-Router-Address := 192.168.20.1,
> > DHCP-Domain-Name-Server := 192.168.20.2,
> > DHCP-IP-Address-Lease-Time := 7200
> > """
> >
> > Could you, please, recommend a way to implement something similar with
> > FreeRADIUS 4?
>
> I already gave you one option: just write the policies in unlang. This can be automatically generated.
>
> Another option is to read the comments in the "files" module. It points you to some more documentation, which is also online at:
>
> https://www.freeradius.org/documentation/freeradius-server/4.0.0/raddb/mods-available/files.html
>
> and then that links to:
>
> https://www.freeradius.org/documentation/freeradius-server/4.0.0/raddb/mods-config/files/users.html
>
> That page says you can use IP addresses as keys! So that's exactly what you want.
>
> Instead of using
>
> key = 'network'
>
> you use
>
> key = DHCP-Network-Subnet
>
> And then the entries are:
>
> 192.168.10.0/24
> DHCP-Subnet-Mask := 255.255.255.0,
> DHCP-Router-Address := 192.168.10.1,
> DHCP-Domain-Name-Server := 192.168.20.2,
> DHCP-IP-Address-Lease-Time := 7200
>
>
> 192.168.20.0/24
> DHCP-Subnet-Mask := 255.255.255.0,
> DHCP-Router-Address := 192.168.20.1,
> DHCP-Domain-Name-Server := 192.168.20.2,
> DHCP-IP-Address-Lease-Time := 7200
>
> That should work.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
С уважением, Дмитрий Ермаков.
More information about the Freeradius-Users
mailing list