On 31 Aug 2013, at 13:49, Nikolaos Milas <nmi...@noa.gr> wrote: > On 31/8/2013 12:03 πμ, Arran Cudbard-Bell wrote: > >>> 1. Is DHCP functionality supported against an LDAP Server (in v2.2.0)? >> Yes. >> >>> >2. If so, is there a planned freeradius ldap schema change (in future >>> >versions) to include DHCP-* attributes? >> No. But you're welcome to submit a pull request. > > Thanks Arran for your answers. > > Sorry, I don't know really what a "pull request" is, but googling info makes > me think it means I can submit a proposal for schema changes?
Yes. > If so, I might, after I become a bit acquainted to the DHCP FreeRadius > component (and to DHCP in general). OK. > In the meantime, I've also found that I should be able to set an IP Address > to a host (connecting through our Cisco 2950/2960 switches) when doing > dot1x/MAB authentication (against FreeRadius), using the "Framed-IP-Address" > attribute in the reply (and I've also set "radius-server attribute 8 > include-in-access-req" as Cisco advises here: > http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrdat1.html). > No. > I tried it but the NAS doesn't seem to try to push to the authorized host the > IP Address (-yet the host had already a static IP address). Should the host > (Win Vista in this test case) specify "Obtain an IP Address automatically"? > Would this functionality work without using the FreeRadius Server DHCP > component? No. It's for things like PPP tunnels not for 802.1X and Mac-Auth authentication. > Also, assuming that the authorized (using MAB) host has already a (manually > -or otherwise- preconfigured) static IP address, is there a way FreeRadius > can know which that is, so it can reject the host during reauth if that IP > Address is different than the one specified in the host's LDAP entry? No. With Wired/Wireless 802.1X/Mac-Auth authentication is performed first. Before authentication occurs all traffic (other than EAPOL frames, and wireless management frames) are blocked by the NAS. Once authentication completes the client uses DHCP to acquire an IP address. Some NAS may offer a feature to inspect the SRC IP address of incoming frames after authentication completes. It may then include that value in Accounting data which is sent after authentication completes. The RADIUS server could then in theory use a PoD (RADIUS packet of disconnect) or SNMP to disconnect the client from the NAS if it determined it was using the incorrect IP address when it received one of those accounting packets. FreeRADIUS itself does not offer any user triggable events For this it's sometimes better to use a quarantine VLAN and change that using SNMP, CoA, the Session-Timeout attribute, or PoD, once you're sure the client has the right IP. There is no out of the box solution for this. But FreeRADIUS does provide all the functionality you need. You just need to tie it all together. The solution you choose depends on your clients, your NAS, and the strictness of your policies. Arran Cudbard-Bell <a.cudba...@freeradius.org> FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
