Hi, We need Radius-based authentication based on the MAC address of the client. That is, given the MAC address of a DHCPv4/v6 client, we want to hand out a pre-defined IPv4 address and IPv6 prefix. If the client MAC is not registered in Radius, it should get no IP address.
I started implementing this using the hooks system, but there is no practical hook point I can use. I am currently using the "lease_select" hook point, basically doing this: - if the client MAC exists in radius, overwrite the IP address in the existing lease passed by Kea to the callout; - if the client MAC is unknown, set status to NEXT_STEP_SKIP. The problem is that this happens *after* Kea has already selected a lease in the pool. So, it first needs a pool in the Kea configuration file (which I don't need). Also, for each client, Kea uses up one address of the pool even though I subsequently overwrite the address of the lease. For instance, the first client initially gets IPv4 address X.1, and I overwrite it with address X.189. Then, the second client initially gets IPv4 address X.2, and I overwrite it with address X.77. And so on: I'm not sure what happens when the pool is exhausted. Here is a log of address allocation showing what happens when the callout overwrites the IPv4 address of a lease: 2017-08-02 20:14:13.342 DEBUG [kea-dhcp4.alloc-engine/1941] ALLOC_ENGINE_V4_OFFER_NEW_LEASE allocation engine will try to offer new lease to the client [hwtype=1 96:ecf8:ac:d8:bd], cid=[ff:f8:ac:d8:bd:00:01:00:01:19:8e:03:b5:7c:dd:90:30:f4:2f], tid=0x62eebb95 2017-08-02 20:14:13.342 DEBUG [kea-dhcp4.hosts/1941] HOSTS_CFG_GET_ONE_SUBNET_ID_ADDRESS4 get one host with reservation for subnet id 1 and IPv4 address X.X.X.2 2017-08-02 20:14:13.342 DEBUG [kea-dhcp4.hosts/1941] HOSTS_CFG_GET_ALL_ADDRESS4 get all hosts with reservations for IPv4 address X.X.X.2 2017-08-02 20:14:13.342 DEBUG [kea-dhcp4.hosts/1941] HOSTS_CFG_GET_ALL_ADDRESS4_COUNT using address X.X.X.2, found 0 host(s) 2017-08-02 20:14:13.342 DEBUG [kea-dhcp4.hosts/1941] HOSTS_CFG_GET_ONE_SUBNET_ID_ADDRESS4_NULL host not found using subnet id 1 and address X.X.X.2 2017-08-02 20:14:13.342 DEBUG [kea-dhcp4.dhcpsrv/1941] DHCPSRV_MEMFILE_GET_ADDR4 obtaining IPv4 lease for address X.X.X.2 2017-08-02 20:14:13.343 DEBUG [kea-dhcp4.callouts/1941] HOOKS_CALLOUTS_BEGIN begin all callouts for hook lease4_select lease4_select: starting. lease4_select: Client IP address: X.X.X.77 2017-08-02 20:14:13.343 DEBUG [kea-dhcp4.callouts/1941] HOOKS_CALLOUT_CALLED hooks library with index 1 has called a callout on hook lease4_select that has address 0x7fa3f9ce393 (callout duration: 0.081 ms) 2017-08-02 20:14:13.343 DEBUG [kea-dhcp4.callouts/1941] HOOKS_CALLOUTS_COMPLETE completed callouts for hook lease4_select (total callouts duration: 0.081 ms) 2017-08-02 20:14:13.343 DEBUG [kea-dhcp4.dhcpsrv/1941] DHCPSRV_MEMFILE_GET_ADDR4 obtaining IPv4 lease for address X.X.X.2 2017-08-02 20:14:13.343 INFO [kea-dhcp4.leases/1941] DHCP4_LEASE_ADVERT [hwtype=1 96:ec:f8:ac:d8:bd], cid=[ff:f8:ac:d8:bd:00:01:00:01:19:8e:03:b5:7c:dd:90:30:f4:2f], tid=0x62eebb95: lease X.X.X.77 will be advertised Fundamentally, this use-case differs from the user_chk example: user_chk selects a subnet and lets Kea perform the lease allocation, while we want to perform the lease allocation ourselves in the callout. So, what about adding a hook point just before address allocation? If the callout returns an address (or IPv6 prefix), check that there is no active lease that conflicts and just use it. Otherwise, use the normal allocation strategy. Thanks and sorry for the long email, Baptiste
Description: PGP signature
_______________________________________________ Kea-users mailing list Keaemail@example.com https://lists.isc.org/mailman/listinfo/kea-users