On Fri, Nov 05, 2004 at 10:36:26AM +0800, Chan Min Wai wrote: > Craig Huckabee wrote: > > Paul Hampson wrote:
> >> On Wed, Nov 03, 2004 at 07:04:09PM +0800, Chan Min Wai wrote: > >>> I hope that radius server can talk to the DHCP server and tell the DHCP > >>> server what ip address to be allocate... > >> Write a script in that adds the authenticated client's MAC address and > >> the IP Address you've assigned to the DHCP server's config and reloads > >> the DHCP server. It'll also have to get rid of other stanzas for that > >> MAC address/IP address (trusting rlm_ippool to know what IP addresses > >> are free, which means you need to be getting Accounting packets, I > >> expect.) > Woo That meant when any user login my dhcp server is reloading... WOO, > that is hell a lot of work and If there are multiple users login at the > same time... hehe my dhcpd server will kept on reload without doing > anything good :( Yeah, it is pretty evil. In my defense, I'd only had two hours sleep in 36 hours when I wrote that. ^_^ > However I found something like this... > http://www.ietf.org/internet-drafts/draft-ietf-dhc-agentopt-radius-08.txt > Hopping someone will be able read into it. Sadly, that's no good. That lets the RADIUS server give attributes to the NAS to add to DHCP requests (which is what you want, roughly) but specifically excludes Framed-IP-Address so it specifically prevents the RADIUS server from picking the IP address for the DHCP server. (Which makes sense. ^_^) Actually, this draft _could_ work since it would give the DHCP server a chance to associate the RADIUS username with the lease in its logs, then you can see who owns what IP. However, this draft doesn't affect the RADIUS server, only the DHCP server and DHCP Relay Agent (802.1x gateway device) So you'll have to take it up with your switch manufacturer, and DHCP server software provider. I _expect_ the DHCP software will just log the attributes... ^_^ Short answer is there's no easy way to make RADIUS pick the IP address for an 802.1x client. Your best bet is to correlate the logs of your DHCP server with the logs of your RADIUS server. Can you make your 802.1x device use an external DHCP server? If so, or you can make its internal DHCP server log externally, you can prolly match by MAC address to RADIUS logon requests, assuming it gets sent a MAC address in the 802.1x authentication. If it was me, I'd make an 802.1x device that also gives out via DHCP the RADIUS-dictated Framed-IP-Address, so I'm sure there's good reasons this doesn't happen. > BTW, all the question I'm asking is about Radius with wired network (on > a 10/100 Base-T) And the users I'm looking at is about 100K ~500K ;) Apart from scale, wired or wireless is irrelevant to 802.1x. ^_^ -- Paul "TBBle" Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
