Re: SoH and DHCP

Tue, 20 Sep 2011 10:19:45 -0700 

Hi Phil,
It's been a while since we did not receive feedbacks about that SoH and DHCP enforcement. I am just wandering if you had some news about it. 

Thanks!

On 11-07-20 2:36 PM, Phil Mayers wrote:

On 07/20/2011 06:07 PM, Francois Gaudreault wrote:

Hi,

I am trying to make the SoH statements to work using the FreeRADIUS
DHCP. However, I have issues to get the SoH values from the NAP client.
Maybe someone will be able to help.

On the client side, the DHCP NAP policy is set to enabled.



Unfortunately the SoH DHCP code is unlikely to work very well - I 
didn't quite finish it.



The problem is twofold; first, the SoH payloads are >255 bytes (the 
max size of a DHCP option) so support for DHCP option "continuation" 
is needed; this is doubly tedious because Microsoft use a non-standard 
format for option continuation (main option followed by one or more 
option 240 IIRC)



The second problem is that the constituent DHCP option(s) are 
themselves each >253 bytes, which means they are too big to fit inside 
a VALUE_PAIR structure (which is sized for radius attributes, not DHCP 
attributes). This means there are two unpalatable choices:


 1. Change the VALUE_PAIR union to include a "char dhcpopt[255]" member

 2. Decode DHCP options differently based on length; if <= 253, decode 
into the "octets" member of VALUE_PAIR; if >253, decode into the "tlv" 
pointer-indirection method. This seems... dirty, since you're 
basically using the tlv pointer for options of length 254 or 255 only 
(although you might want to decode option continuation into the same 
buffer I guess?)



Basically, some code needs adding to the DHCP portion of FreeRADIUS to 
handle DHCP option continuation, and options >253 bytes, before the 
SoH code will work with DHCP.



I don't have much time at the moment, but I might see if I can get 
this working tomorrow.


Cheers,
Phil
-

List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html





--
Francois Gaudreault, ing. jr
[email protected]  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to