Re: Option 82 DHCP Snooping + Freeradius auth of DHCP requests
Denis Iskandarov wrote: man you kidding me ? Your original message was unclear, vague, and confusing. i know that it's not dhcp request. It is DHCP server + Radius binding scheme. DHCP server getting request from client and asks RADIUS if this client allowed to obtain IP address. DHCP server puts in Username Clients mac address. It would have been useful to say that in the first message. Please somebody knows how to allow MAC auth in Freeradius (i've read wiki on freeradius site regarding this) The Wiki is correct. Following it will work. I _*already have*_ inserted this username in _*users*_ file as well as in *SQL base*. Well... read the debug output. Both files and sql say that the user wasn't found. 00:0C:42:40:40:38 Agent-Remote-Id = 0006000ded21a480 Read man users. This line says match the User-Name *and* the Agent-Remote-Id. Read the debug output. The Agent-Remote-Id in the debug output does *not* match that text. Instead, the packet contains: Agent-Remote-Id = \000\006\000\r\355!\244\200 See? They're different. That's why the don't match. I assume it can't see MAC format of username. No. How should freeradius be able to process username in MAC format ? By deleted the Agent-Remote-Id line from the users file. Here is radius debug and errors that it can't see username BUT it is listed in users and sql Yes... with *additional* checks that require a match for Agent-Remote-Id. Since that doesn't match, the entry for the users file doesn't match, either. The behavior of the users file is documented. The debug output shows what the server receives. While there is a lot of text to read, the answer *is* in the information you have. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Option 82 DHCP Snooping + Freeradius auth of DHCP requests
Thank you very much! I'll post my result negative/positive and share my experience. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Option 82 DHCP Snooping + Freeradius auth of DHCP requests
Hello! I'm trying to setup network with DHCP Snooping Option 82 functionality + Freeradius auth for DHCP requests. DHCP server which receives DHCP packets from cisco switch dhcp relay is Mikrotik RouterBoard. freeradius2-2.1.7-7.el5. Also updated dictionary from new 2.1.10 package Option 82 works perfectly without radius simply giving IPs to all requests. Mikrotik RB sends Option 82 request to freeradius with Redback vendor attributes. Also i've working eap-ttls and sql auth on same Freeradius server. But for simplicity i tried to used files auth method, which i think should work simultaniously depending on where user name where found and to which methods it applies. Please correct me if i'm wrong. I can't see files method in debug, by the way it says that it can't find auth method for username O_O :(. I don't know what to do else. Freeradius should receive Username Remote and Circuit IT and send Request-Accept with framed-ip from mikrotiks dhcp pool So here are my debugs and username configured in users file: Atributes seen in mikrotik: ARemote-id: 0:6:0:d:ed:21:a4:80 ACircuit-ID: 0:4:0:2:0:0 Atributes sniffed from packet seen in hex: Remote-ID: 0006000ded21a480 this is inside: VSA: l=10 t=Agent-Remote-Id(96): \000\006\000\r\355!\244\200 Circuit-ID: 00040002this is inside: VSA: l=8 t=Agent-Circuit-Id(97): \000\004\000\002\000\000 00:0C:42:40:40:38 Agent-Remote-Id = 0006000ded21a480 = Here i've tried different formats of these 2 atributes , sniffed with wireshark, with columns without Agent-Circuit-Id = 00040002, | But as i have sniffed traffic and saw radius debud it accepts in different format with slashes Framed-IP-Address = 192.168.3.155 | hope those are unreadable ASCII characters as i was told and Here is radius debug output for first request-reject packets: FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar 31 2010 at 00:25:31 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file
Re: Option 82 DHCP Snooping + Freeradius auth of DHCP requests
Denis Iskandarov wrote: Hello! I'm trying to setup network with DHCP Snooping Option 82 functionality + Freeradius auth for DHCP requests. DHCP server which receives DHCP packets from cisco switch dhcp relay is Mikrotik RouterBoard. freeradius2-2.1.7-7.el5. Also updated dictionary from new 2.1.10 package Uh... why? The dictionaries are strongly tied to specific revisions of the software. If you're going to use the 2.1.10 dictionaries, you should use the 2.1.10 software, too. Option 82 works perfectly without radius simply giving IPs to all requests. Mikrotik RB sends Option 82 request to freeradius with Redback vendor attributes. Also i've working eap-ttls and sql auth on same Freeradius server. But for simplicity i tried to used files auth method, which i think should work simultaniously depending on where user name where found and to which methods it applies. I have no idea what that means, or what that has to do with DHCP. Please correct me if i'm wrong. I can't see files method in debug, by the way it says that it can't find auth method for username O_O :(. I don't know what to do else. Freeradius should receive Username Remote and Circuit IT and send Request-Accept with framed-ip from mikrotiks dhcp pool That makes no sense. Please use the *correct* names for terminology, and describe what you want in detail. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Option 82 DHCP Snooping + Freeradius auth of DHCP requests
So as i understood one of the problems is that Freeradius can't find username which is in mac-address format. Beside users file i've added same user to sql base, UI with daloRADIUS. radius can't find this username there as well. P.S.: sql+ daloradius are working fine for eap user/pass configuration. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Option 82 DHCP Snooping + Freeradius auth of DHCP requests
Also I did this check from daloradius: Executed: echo User-Name='00:0C:42:40:40:38',User-Password= | radclient -c '1' -n '3' -r '3' -t '3' -x '127.0.0.1:1812' 'auth' 'testing123' 21 Results: Sending Access-Request of id 3 to 127.0.0.1 port 1812 User-Name = 00:0C:42:40:40:38 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=3, length=20 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Option 82 DHCP Snooping + Freeradius auth of DHCP requests
Ok. DHCP server asking radius what to do with dhcp-request. radius gives accept if username -mac-address is in it's database, plus adding framed-ip-address and some other atributes to reply. as i understood from debug, freeradius can't find username (which is mac address, and sent in User-Name attribute field) which is described in USERS file, as well as in SQL base. Yep, maybe i didn't explained my problem first time. but i think you could see debug and errors there which can help you remember if you had same problem with not found username. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Option 82 DHCP Snooping + Freeradius auth of DHCP requests
Denis Iskandarov wrote: DHCP server asking radius what to do with dhcp-request. radius gives accept if username -mac-address is in it's database, plus adding framed-ip-address and some other atributes to reply. Except that a User-Name is never in a DHCP request. as i understood from debug, freeradius can't find username (which is mac address, and sent in User-Name attribute field) which is described in USERS file, as well as in SQL base. So... look in the Access-Request packet for the format of the User-Name, and add that to the users file, or SQL database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DHCP with option 82 best practice
Hi everybody, at first I want to thank Arran and Alan for their help with my last post. Good job! Had trouble getting the lists reply's, but solved now. I am curious if somebody could share information how to get FR as DHCP with option 82 authentication up and running. Couldn't find much information in provided sample files and on the net. My own experiments with auth configs were not particularly successful. The key I am missing is the link between having DHCP-Relay-Circuit-Id in DHCP-Request and DHCP-Discover messages and kicking in some kind of auth in order to return a DHCP-Offer/Ack message including a client IP out of the configured IP pools. Backend is mysql. I have the feeling that most users straight heading for rlm_perl and not using the ppp/chap/pap alike chain. This I would understand since the handshakes differ. Confirmation of this thesis would help me as well, so I can stop searching and start coding ;o) Any comment much appreciated! Cheers, Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP with option 82 best practice
On 10/18/2010 05:05 PM, Zietz, Marco wrote:
I am curious if somebody could share information how to get FR as DHCP
with option 82 authentication up and running. Couldn't find much
information in provided sample files and on the net. My own experiments
with auth configs were not particularly successful. The key I am missing
What have you tried? Why didn't it work?
is the link between having DHCP-Relay-Circuit-Id in DHCP-Request and
DHCP-Discover messages and kicking in some kind of auth in order to
return a DHCP-Offer/Ack message including a client IP out of the
configured IP pools. Backend is mysql.
As with most things in FreeRadius, the key (pardon the pun) is
determining what data is in the input packet, what data you want in the
reply and what key/value lookup you need to do to achieve that.
The difficulty with DHCP is that you really need to do the following:
start transaction
select ip from pool where key=... and not used
update ip set used=true where ip=...
commit
add ip to reply packet
The rlm_sqlippool module does this for example, but the queries it
executes are perhaps not suited to DHCP allocation; I haven't tried it.
If your DHCP pools are simple - one IP per switch/port and no pools -
then you could just do:
update reply {
DHCP-Your-IP-Address = %{sql:select ip from opt82 where
switch='%{DHCP-Agent-Remote-Id}' and port='%{DHCP-Agent-Circuit-Id}'}
}
...but this may cause problems without proper lease management.
I have the feeling that most users straight heading for rlm_perl and not
using the ppp/chap/pap alike chain. This I would understand since the
handshakes differ. Confirmation of this thesis would help me as well, so
I can stop searching and start coding ;o)
I don't recognise the terminology you use here: handshakes?
In pretty much all modes, FreeRadius is a system for processing
attribute/value pairs and generating replies. DHCP is just another
encoding for AVPs with the slightly complex aspect that lease management
needs to be (a bit) transactional, so anything other than fixed mac-IP
mappings needs a bit of work. That is why people may use perl or things
more complex than unlang/rlm_passwd - the need for transactional lease
allocation.
I suspect few people are using FreeRadius for DHCP in anger yet, which
explains why you have found little info, but I'm sure it can do it. If
you can provide more info about what you've tried that doesn't work...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP with option 82 best practice
Zietz, Marco wrote: I am curious if somebody could share information how to get FR as DHCP with option 82 authentication up and running. I don't know what option 82 authentication means. Couldn't find much information in provided sample files and on the net. My own experiments with auth configs were not particularly successful. The key I am missing is the link between having DHCP-Relay-Circuit-Id in DHCP-Request and DHCP-Discover messages and kicking in some kind of auth in order to return a DHCP-Offer/Ack message including a client IP out of the configured IP pools. Backend is mysql. The SQL IP Pool module only works with RADIUS right now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Option 82 parse problems.
Anton wrote: 1. In dictionary.dhcp there are two strings (version 2.1.8): ATTRIBUTE DHCP-Agent-Circuit-Id 0x0152 octets ATTRIBUTE DHCP-Agent-Remote-Id 0x0252 octets but when I start radiusd -X I see only one whole string like: DHCP-Relay-Agent-Information = 0x01060004006402080006000cce477c00 Yes... this was fixed in 2.1.9. Don't expect 2.1.8 to parse option 82. How can I get DHCP-Agent-Circuit-Id and DHCP-Agent-Remote-Id without using perl post_auth ? 2.1.9 was tested to work. 2. There is announced feature in 2.1.9 Add sub-option support for Option 82. See dictionary.dhcp. When I start radiusd -X (2.1.9) with its dictionary.dhcp it begin to eat 100% of CPU with no any output in console after the first dhcp packet received. Please supply a packet trace (wireshark / tcpdump) which contains that packet. If we had seen this issue in testing 2.1.9, we would have fixed it. How to use this announced feature of sub-option for opt82 ? It was tested to work with a number of different switches. How to find the reason why radiusd (2.1.9) eats 100% of CPU ? Supply a pcap file containing the packet, so we can reproduce the problem, and fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Option 82 parse problems.
Ok. Please see attach. But I'm afraid that is may only case, my unfortunate radius configuration. This is not directly received from the switch packet but from switch-dhcrelay. On Fri, 28 May 2010 13:11:57 +0700 Alan DeKok al...@deployingradius.com wrote: Please supply a packet trace (wireshark / tcpdump) which contains that packet. If we had seen this issue in testing 2.1.9, we would have fixed it. How to use this announced feature of sub-option for opt82 ? It was tested to work with a number of different switches. How to find the reason why radiusd (2.1.9) eats 100% of CPU ? Supply a pcap file containing the packet, so we can reproduce the problem, and fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Anton [WARM-RIPE] Stack ltd division head tel. 8 (3822) 555-797 dhcp_on_client.dump Description: Binary data dhcp_on_server.dump Description: Binary data dhcrelay-to-radius.dump Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Option 82 parse problems.
Anton wrote: Ok. Please see attach. But I'm afraid that is may only case, my unfortunate radius configuration. It looks to be a bug in 2.1.9. I'll see if I can put a fix into 'git', the v2.1.x branch in the next few days. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Option 82 parse problems.
Good day.
I'm trying to set freeradius like dhcp server with option 82 parsing and SQL
data lookup. Now I use versions
2.1.8 and 2.1.9 with exactly the same configs and there is no SQL configuration
yet, only default dhcp
config with my test diff (see below). I have two questions for now:
1. In dictionary.dhcp there are two strings (version 2.1.8):
ATTRIBUTE DHCP-Agent-Circuit-Id 0x0152 octets
ATTRIBUTE DHCP-Agent-Remote-Id 0x0252 octets
but when I start radiusd -X I see only one whole string like:
DHCP-Relay-Agent-Information = 0x01060004006402080006000cce477c00
How can I get DHCP-Agent-Circuit-Id and DHCP-Agent-Remote-Id without using perl
post_auth ?
2. There is announced feature in 2.1.9 Add sub-option support for Option 82.
See dictionary.dhcp. When I
start radiusd -X (2.1.9) with its dictionary.dhcp it begin to eat 100% of CPU
with no any output in console
after the first dhcp packet received.
How to use this announced feature of sub-option for opt82 ?
How to find the reason why radiusd (2.1.9) eats 100% of CPU ?
My dhcp site config (with changed ip-addresses):
server dhcp {
listen {
ipaddr = 192.168.0.1
port = 67
type = dhcp
interface = eth0
}
dhcp DHCP-Discover {
update reply {
DHCP-DHCP-Server-Identifier = %{Packet-Dst-IP-Address}
}
linelog
update reply {
DHCP-Domain-Name-Server = 192.168.0.1
DHCP-Domain-Name-Server = 192.168.10.1
DHCP-Subnet-Mask = 255.255.255.240
DHCP-IP-Address-Lease-Time = 1800
}
mac2ip
linelog
ok
}
dhcp DHCP-Request {
update reply {
DHCP-DHCP-Server-Identifier = %{Packet-Dst-IP-Address}
}
linelog
update reply {
DHCP-Domain-Name-Server = 192.168.0.1
DHCP-Domain-Name-Server = 192.168.10.1
DHCP-Subnet-Mask = 255.255.255.224
DHCP-IP-Address-Lease-Time = 1800
}
linelog
ok
}
dhcp {
update reply {
DHCP-Message-Type = DHCP-NAK
}
}
}
passwd mac2ip {
filename = ${confdir}/mac2ip
format = *DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address
delimiter = ,
}
--
Anton [WARM-RIPE]
Stack ltd division head
tel. 8 (3822) 555-797
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
option 82
Hi, I work at an ISP and we are looking at the possibility to use option 82 in FreeRADIUS. The other side is going to send us an ordernumber and then we want to send a configuration back (an ip address etc.). Been searching how to do this in FreeRADIUS, but haven't found much useful information. So, if somebody can point me in the right direction on how to set it up in FreeRADIUS. Any help will be greatly appreciated. Gr, Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: option 82
Kevin Croes wrote: I work at an ISP and we are looking at the possibility to use option 82 in FreeRADIUS. In what, DHCP? RADIUS? The other side is going to send us an ordernumber and then we want to send a configuration back (an ip address etc.). I have no idea what that means... Been searching how to do this in FreeRADIUS, but haven't found much useful information. So, if somebody can point me in the right direction on how to set it up in FreeRADIUS. Any help will be greatly appreciated. Perhaps you could describe the problem in more detail. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: option 82
Google Radius DHCP client and start reading. :-) FWIW - This isn't a Freeradius question. b...@misn.com Alan DeKok wrote: Kevin Croes wrote: I work at an ISP and we are looking at the possibility to use option 82 in FreeRADIUS. In what, DHCP? RADIUS? The other side is going to send us an ordernumber and then we want to send a configuration back (an ip address etc.). I have no idea what that means... Been searching how to do this in FreeRADIUS, but haven't found much useful information. So, if somebody can point me in the right direction on how to set it up in FreeRADIUS. Any help will be greatly appreciated. Perhaps you could describe the problem in more detail. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: option 82
Kevin Croes wrote: Hi, I work at an ISP and we are looking at the possibility to use option 82 in FreeRADIUS. The other side is going to send us an ordernumber and then we want to send a configuration back (an ip address etc.). Been searching how to do this in FreeRADIUS, but haven't found much useful information. So, if somebody can point me in the right direction on how to set it up in FreeRADIUS. Any help will be greatly appreciated. Gr, Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi Kevin. I think you are looking the wrong way, option 82 is DHCP otions, and is use for validating the src port of the request. If you had a router with a pool off address hooked up on an loopback interface and runed unnumbered on cpe interfaces, you can use this option to do static address assignment on DHCP. The relay agent wiil put information into the relayed request of the source port. /Arne - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
