FreeRadius to authenticate DHCP Requests with Option82
Hello all, I am implementing Free Radius to authenticate DHCP Requests with Option82. I have configured DHCP Relay Agent, DHCP Snooping in CISCO Switch and DHCP Server. Now i have to configure RADIUS for option82. Please help me to configure RADIUS for DHCP option82. Also i am not clear who will authenticate to RADIUS, Switch,DHCP Relay Agent or DHCP Server. After reading docs i guess it's DHCP Server Br. Sachin Sharma Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius to authenticate DHCP Requests with Option82
On Wed, Feb 22, 2012 at 3:16 PM, sachin.sha...@wipro.com wrote: Hello all, I am implementing Free Radius to authenticate DHCP Requests with Option82. I have configured DHCP Relay Agent, DHCP Snooping in CISCO Switch and DHCP Server. Now i have to configure RADIUS for option82. Are you trying to configure a RADIUS server, or a DHCP server? Freeradius can function as both, but the configuration is different. Please help me to configure RADIUS for DHCP option82. See my previous question. Also i am not clear who will authenticate to RADIUS, Switch,DHCP Relay Agent or DHCP Server. After reading docs i guess it's DHCP Server You might have just answered your own question :) Two possibilities: (1) If I understand your question correctly, you DON'T configure a radius server for DHCP option 82. Instead, you configure a DHCP server that can understand and process option 82. FR SHOULD be able to function as DHCP server that handles option 82, BUT there are things that require some kind of advanced knowledge. For example: - you need to enable DHCP functionality expicility during compilation, or use latest master or v2.1.x branch from git (which should enable it by default) - you need to write your own logic on how to handle option 82 (DHCP-Agent-Circuit-Id and DHCP-Agent-Remote-Id attributes). The git version have an example of sqlippool module that handles static and dynamic IP assignment, but it doesn't process those two attributes. You need to modify it yourself. So in short, it SHOULD be possible with FR, but requires some effort. Depending on your skill and knowledge, you might be better of using another DHCP server (2) If I misunderstood your question, and what you need is simply for a radius server that sends a particular attribute, then you need to know what attribute it is, and what value it should contain. Once you have that, implementing it in FR should be easy. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius to authenticate DHCP Requests with Option82
sachin.sha...@wipro.com wrote: I am implementing Free Radius to authenticate DHCP Requests with Option82. I have configured DHCP Relay Agent, DHCP Snooping in CISCO Switch and DHCP Server. Now i have to configure RADIUS for option82. What does that mean? It's like saying configure a web server for pages. Please help me to configure RADIUS for DHCP option82. Also i am not clear who will authenticate to RADIUS, Switch,DHCP Relay Agent or DHCP Server. After reading docs i guess it's DHCP Server I have no idea what you're doing, so I have no idea how to answer the question. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius to authenticate DHCP Requests with Option82
Hello Fajar/Alan Thanks for u r quick Responses !! I already configured DHCP Server that handles option 82 of DHCP Requests. But new to RADIUS stuff. For security reasons, We want to introduce radius so DHCP Offer is to be made only to authenticated clients. I just need a idea to have correct direction. After reading your response ( Correct me if my understanding is wrong ) now I have to configure my DHCP Server to speak with FR before giving DHCP OFFER. (1)DHCP Client---(2)Cisco Switch(Adds option 82)---(3)Relay Agent---(4)DHCP Server (Authenticate DHCP Discovery)-(5)FRADIUS (8)DHCP OFFER --- (7)DHCP Server ---(6)(ACCEPT/ACCEPt)-- Br. Sachin Sharma -Original Message- From: freeradius-users-bounces+sachin.sharma=wipro@lists.freeradius.org [mailto:freeradius-users-bounces+sachin.sharma=wipro@lists.freeradius.org] On Behalf Of Fajar A. Nugraha Sent: Wednesday, February 22, 2012 2:29 PM To: FreeRadius users mailing list Subject: Re: FreeRadius to authenticate DHCP Requests with Option82 On Wed, Feb 22, 2012 at 3:16 PM, sachin.sha...@wipro.com wrote: Hello all, I am implementing Free Radius to authenticate DHCP Requests with Option82. I have configured DHCP Relay Agent, DHCP Snooping in CISCO Switch and DHCP Server. Now i have to configure RADIUS for option82. Are you trying to configure a RADIUS server, or a DHCP server? Freeradius can function as both, but the configuration is different. Please help me to configure RADIUS for DHCP option82. See my previous question. Also i am not clear who will authenticate to RADIUS, Switch,DHCP Relay Agent or DHCP Server. After reading docs i guess it's DHCP Server You might have just answered your own question :) Two possibilities: (1) If I understand your question correctly, you DON'T configure a radius server for DHCP option 82. Instead, you configure a DHCP server that can understand and process option 82. FR SHOULD be able to function as DHCP server that handles option 82, BUT there are things that require some kind of advanced knowledge. For example: - you need to enable DHCP functionality expicility during compilation, or use latest master or v2.1.x branch from git (which should enable it by default) - you need to write your own logic on how to handle option 82 (DHCP-Agent-Circuit-Id and DHCP-Agent-Remote-Id attributes). The git version have an example of sqlippool module that handles static and dynamic IP assignment, but it doesn't process those two attributes. You need to modify it yourself. So in short, it SHOULD be possible with FR, but requires some effort. Depending on your skill and knowledge, you might be better of using another DHCP server (2) If I misunderstood your question, and what you need is simply for a radius server that sends a particular attribute, then you need to know what attribute it is, and what value it should contain. Once you have that, implementing it in FR should be easy. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius to authenticate DHCP Requests with Option82
sachin.sha...@wipro.com wrote: I already configured DHCP Server that handles option 82 of DHCP Requests. But new to RADIUS stuff. For security reasons, We want to introduce radius so DHCP Offer is to be made only to authenticated clients. Ah. That isn't a common configuration. But it is useful. I just need a idea to have correct direction. After reading your response ( Correct me if my understanding is wrong ) now I have to configure my DHCP Server to speak with FR before giving DHCP OFFER. Yes. Or, you can use FreeRADIUS as a DHCP server. That makes it easier. (1)DHCP Client---(2)Cisco Switch(Adds option 82)---(3)Relay Agent---(4)DHCP Server (Authenticate DHCP Discovery)-(5)FRADIUS (8)DHCP OFFER --- (7)DHCP Server ---(6)(ACCEPT/ACCEPt)-- Yes. If you use FreeRADIUS for both RADIUS and DHCP, you can track user status in a database. When you receive a RADIUS packet, update the database. When you receive a DHCP packet, query the database. Traditional DHCP servers (i.e. ISC) make this hard. They don't talk to databases. They're firmly stuck in 1980's technology. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius to authenticate DHCP Requests with Option82
On 2012/02/22 01:10 PM, Alan DeKok wrote: Yes. If you use FreeRADIUS for both RADIUS and DHCP, you can track user status in a database. When you receive a RADIUS packet, update the database. When you receive a DHCP packet, query the database. Traditional DHCP servers (i.e. ISC) make this hard. They don't talk to databases. They're firmly stuck in 1980's technology. Another option which we use very successfully is a Mikrotik DHCP server. It can talk to Freeradius. http://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server It works well. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius to authenticate DHCP Requests with Option82
On Wed, Feb 22, 2012 at 7:03 PM, Johan Meiring jmeir...@pcservices.co.za wrote: Another option which we use very successfully is a Mikrotik DHCP server. It can talk to Freeradius. http://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server It works well. Good documentation. So basically the dhcp server converts Framed-IP-Address radius attribute into a DHCP reply, and the NAS uses other attributes (like rate limit). Neat. In this case FR-side setup is easy. Just create a normal user, but with client's MAC address as User-Name. Not sure about the blank password part, but you should be able to just set Access-Type := Accept. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius to authenticate DHCP Requests with Option82
Hi Can you tell me something about performances? I'm using Mtik as NAS for PPPoE users and 500-600 online users per server is optimum according to my experiences (Quad core server, 2GB RAM,...). ISC DHCP works very well for 6000 users and the same number of cable modems but I'm not sure is Mtik capable for something like that... ISC problem is database integration which won't be added in the next 150 years... :) On 22.2.2012 13:03, Johan Meiring wrote: On 2012/02/22 01:10 PM, Alan DeKok wrote: Yes. If you use FreeRADIUS for both RADIUS and DHCP, you can track user status in a database. When you receive a RADIUS packet, update the database. When you receive a DHCP packet, query the database. Traditional DHCP servers (i.e. ISC) make this hard. They don't talk to databases. They're firmly stuck in 1980's technology. Another option which we use very successfully is a Mikrotik DHCP server. It can talk to Freeradius. http://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server It works well. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius to authenticate DHCP Requests with Option82
Marinko Tarlać wrote: Can you tell me something about performances? It all depends on the DB, because that's where IPs are stored. For a normal database, 1000 packets/s should be possible. I'm using Mtik as NAS for PPPoE users and 500-600 online users per server is optimum according to my experiences (Quad core server, 2GB RAM,...). Wow... that's a lot of CPU for a small number of users. ISC DHCP works very well for 6000 users and the same number of cable modems but I'm not sure is Mtik capable for something like that... ISC problem is database integration which won't be added in the next 150 years... :) Exactly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius to authenticate DHCP Requests with Option82
No No, you didn't understand me... Mtik is installed on the server (HP ML3xx series) and the optimum is 500-600 online PPPoE users... I achieved 1100 online PPPoE users per Mikrotik but the CPU load was always to high and the packet loss was to high (1-2%). The problem is visible because the Mtik creates simple queue rule for every active connection. RADIUS server works perfectly with 5 NAS-es (2000-3000 online users in the same moment)... I just wanted to know is Mikrotik capable (according to users experiences) to act as a DHCP server for a large networks (for example 10k modems and 10k users behind those modems). best regards Marinko On 22.2.2012 13:53, Fajar A. Nugraha wrote: 2012/2/22 Marinko Tarlaćmangi...@gmail.com: Hi Can you tell me something about performances? I'm using Mtik as NAS for PPPoE users and 500-600 online users per server is optimum according to my experiences (Quad core server, 2GB RAM,...). you mean the server is used by FR? You either: - setup accouting interim interval to a very low value (e.g. 60 seconds), OR - your configuration is REALLY non-optimum If you use files backend, then it's very easy to get several auth/sec. If you use db backend, then your main limiting factor will be accounting, which is limited by how fast your disk IOPS is. So for starters: - what backend did you use for FR? mysql? postgres? others? - what kind of disk you have, and how many? (e.g. 2 x SATA 7200 rpm disks, in hardware raid 1) - what is your accounting interim interval? - did you modify the default db schema/queries (if using db backend)? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html