Freeradius DHCP

classic Classic list List threaded Threaded
8 messages Options
| Threaded
Open this post in threaded view
|

Freeradius DHCP

Maile Halatuituia
Hi

I am wondering if someone could provide links or detail for setting up Freeradius to do Authentication dor DHCP user.


My scenario is like this.


BRAS DHCP Server (Cisco ASR 1000) ---------- L2 Networks -------------- DHCP Relay Agent (Residential Gateway Router) ----------- WIFI or LAN Clients.

            |

            |

            |

   Freeradius Server


With the Basic Setup i already have this Radius Packet sent from my BRAS to my Freeradius Server below


        Acct-Session-Id = "00000014"
        Framed-IP-Address = x.x.x.x
        Cisco-AVPair = "connect-progress=Call Up"
        Acct-Authentic = Local
        Acct-Status-Type = Start
        Service-Type = Framed-User
        NAS-IP-Address = ip address
        PMIP6-Home-HN-Prefix = 3137:3631:3546::/69
        Event-Timestamp = "Aug 12 2019 08:48:27 +13"
        NAS-Identifier = "HA_BNG3.domain"
        Acct-Delay-Time = 0
        Module-Failure-Message = "Failed retrieving values required to evaluate condition"
        Acct-Unique-Session-Id = "ace935df6fcf9405158c4ea3e4efc36f"
        Timestamp = 1565552667

Appreciate you kind help in advance.

?



Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius DHCP

Alan DeKok-2
On Aug 11, 2019, at 4:34 PM, Maile Halatuituia <[hidden email]> wrote:
> I am wondering if someone could provide links or detail for setting up Freeradius to do Authentication dor DHCP user.

  Do you mean MAC address authentication?

  The DHCPO protocol doesn't do authentication.

>
> My scenario is like this.
>
>
> BRAS DHCP Server (Cisco ASR 1000) ---------- L2 Networks -------------- DHCP Relay Agent (Residential Gateway Router) ----------- WIFI or LAN Clients.
>
>            |
>
>            |
>
>   Freeradius Server

  Does the BRAS send RADIUS packets to the RADIUS server?

>
> With the Basic Setup i already have this Radius Packet sent from my BRAS to my Freeradius Server below
>
>        Acct-Session-Id = "00000014"
>        Framed-IP-Address = x.x.x.x

  That's an accounting packet.  That isn't authentication.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Freeradius DHCP

Maile Halatuituia
Hi Alan
Sorry I should have read more before I send the question.

Actually I was referring to the PPPoE like Authentication and you have confirmed DHCP does not do the same.

Any idea how I would achieve at least similar to PPPoE. I mean is it possible to authenticate DHCP clients before assigning the Address. I mean similar to what PPP does with Freeradius on PPPoE.


-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+maile.halatuituia=[hidden email]> On Behalf Of Alan DeKok
Sent: Monday, 12 August 2019 1:34 PM
To: FreeRadius users mailing list <[hidden email]>
Subject: Re: Freeradius DHCP

On Aug 11, 2019, at 4:34 PM, Maile Halatuituia <[hidden email]> wrote:
> I am wondering if someone could provide links or detail for setting up Freeradius to do Authentication dor DHCP user.

  Do you mean MAC address authentication?

  The DHCPO protocol doesn't do authentication.

>
> My scenario is like this.
>
>
> BRAS DHCP Server (Cisco ASR 1000) ---------- L2 Networks -------------- DHCP Relay Agent (Residential Gateway Router) ----------- WIFI or LAN Clients.
>
>            |
>
>            |
>
>   Freeradius Server

  Does the BRAS send RADIUS packets to the RADIUS server?

>
> With the Basic Setup i already have this Radius Packet sent from my BRAS to my Freeradius Server below
>
>        Acct-Session-Id = "00000014"
>        Framed-IP-Address = x.x.x.x

  That's an accounting packet.  That isn't authentication.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: [EXTERNAL] RE: Freeradius DHCP

Users mailing list
As with most AAA questions the answer is look to the session management device (BRAS, wifi controller etc etc). What is common is for the DHCP interop to actually create a RADIUS request to setup the sessions QoS etc and thus it's here you get to refuse to connect a device. That ASR 1000 certainly should do something like this. If you refuse the DHCP shouldn't happen anyway which is the best you can do really.

A.


On 12/08/2019, 02:24, "Freeradius-Users on behalf of Maile Halatuituia" <freeradius-users-bounces+alister.winfield=[hidden email] on behalf of [hidden email]> wrote:

    Hi Alan
    Sorry I should have read more before I send the question.

    Actually I was referring to the PPPoE like Authentication and you have confirmed DHCP does not do the same.

    Any idea how I would achieve at least similar to PPPoE. I mean is it possible to authenticate DHCP clients before assigning the Address. I mean similar to what PPP does with Freeradius on PPPoE.


    -----Original Message-----
    From: Freeradius-Users <freeradius-users-bounces+maile.halatuituia=[hidden email]> On Behalf Of Alan DeKok
    Sent: Monday, 12 August 2019 1:34 PM
    To: FreeRadius users mailing list <[hidden email]>
    Subject: Re: Freeradius DHCP

    On Aug 11, 2019, at 4:34 PM, Maile Halatuituia <[hidden email]> wrote:
    > I am wondering if someone could provide links or detail for setting up Freeradius to do Authentication dor DHCP user.

      Do you mean MAC address authentication?

      The DHCPO protocol doesn't do authentication.

    >
    > My scenario is like this.
    >
    >
    > BRAS DHCP Server (Cisco ASR 1000) ---------- L2 Networks -------------- DHCP Relay Agent (Residential Gateway Router) ----------- WIFI or LAN Clients.
    >
    >            |
    >
    >            |
    >
    >   Freeradius Server

      Does the BRAS send RADIUS packets to the RADIUS server?

    >
    > With the Basic Setup i already have this Radius Packet sent from my BRAS to my Freeradius Server below
    >
    >        Acct-Session-Id = "00000014"
    >        Framed-IP-Address = x.x.x.x

      That's an accounting packet.  That isn't authentication.

      Alan DeKok.


    -
    List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&amp;data=02%7C01%7Calister.winfield%40sky.uk%7C9f9d0b729334465fbcd708d71ec3daf8%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C637011698868089212&amp;sdata=pasDevaVnrdP5q89eA2jKIv0sGcZt2itbcUVylAVEYc%3D&amp;reserved=0
    Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
    Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.

    -
    List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&amp;data=02%7C01%7Calister.winfield%40sky.uk%7C9f9d0b729334465fbcd708d71ec3daf8%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C637011698868089212&amp;sdata=pasDevaVnrdP5q89eA2jKIv0sGcZt2itbcUVylAVEYc%3D&amp;reserved=0
    --------------------------------------------------------------------
    This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by sending them to [hidden email] as attachments. Thank you
    --------------------------------------------------------------------



Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius DHCP

Alan DeKok-2
In reply to this post by Maile Halatuituia
On Aug 11, 2019, at 9:24 PM, Maile Halatuituia <[hidden email]> wrote:
> Actually I was referring to the PPPoE like Authentication and you have confirmed DHCP does not do the same.
>
> Any idea how I would achieve at least similar to PPPoE. I mean is it possible to authenticate DHCP clients before assigning the Address. I mean similar to what PPP does with Freeradius on PPPoE.

  On Cisco devices, this is "mac auth".  You need to configure the Cisco NAS to do Mac auth.  There's also a guide in the FreeRADIUS Wiki for configuring Mac Auth on the server.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius DHCP

Nathan Ward

> On 12/08/2019, at 11:47 PM, Alan DeKok <[hidden email]> wrote:
>
> On Aug 11, 2019, at 9:24 PM, Maile Halatuituia <[hidden email]> wrote:
>> Actually I was referring to the PPPoE like Authentication and you have confirmed DHCP does not do the same.
>>
>> Any idea how I would achieve at least similar to PPPoE. I mean is it possible to authenticate DHCP clients before assigning the Address. I mean similar to what PPP does with Freeradius on PPPoE.
>
>  On Cisco devices, this is "mac auth".  You need to configure the Cisco NAS to do Mac auth.  There's also a guide in the FreeRADIUS Wiki for configuring Mac Auth on the server.


Hi Alan,

I think what he’s wanting to do, based on other ML threads, is more “ISG” on a BNG. This takes DHCP DISCOVER messages, and talks to RADIUS to authenticate them based on whatever - usually option 82 information - and passes back confusing Cisco AVPs with terrible confusing names to tweak what the BNG does.

https://lists.gt.net/cisco/nsp/201724 <https://lists.gt.net/cisco/nsp/201724>
etc.

There are links to the relevant Cisco documents etc. there.

Maile - email me off list if you like and I can give you a steer on some of this stuff.

--
Nathan Ward

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Freeradius DHCP

Maile Halatuituia
Hi Nathan
Please can you send me your private email


-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+maile.halatuituia=[hidden email]> On Behalf Of Nathan Ward
Sent: Tuesday, 13 August 2019 1:34 AM
To: FreeRadius users mailing list <[hidden email]>
Subject: Re: Freeradius DHCP


> On 12/08/2019, at 11:47 PM, Alan DeKok <[hidden email]> wrote:
>
> On Aug 11, 2019, at 9:24 PM, Maile Halatuituia <[hidden email]> wrote:
>> Actually I was referring to the PPPoE like Authentication and you have confirmed DHCP does not do the same.
>>
>> Any idea how I would achieve at least similar to PPPoE. I mean is it possible to authenticate DHCP clients before assigning the Address. I mean similar to what PPP does with Freeradius on PPPoE.
>
>  On Cisco devices, this is "mac auth".  You need to configure the Cisco NAS to do Mac auth.  There's also a guide in the FreeRADIUS Wiki for configuring Mac Auth on the server.


Hi Alan,

I think what he’s wanting to do, based on other ML threads, is more “ISG” on a BNG. This takes DHCP DISCOVER messages, and talks to RADIUS to authenticate them based on whatever - usually option 82 information - and passes back confusing Cisco AVPs with terrible confusing names to tweak what the BNG does.

https://lists.gt.net/cisco/nsp/201724 <https://lists.gt.net/cisco/nsp/201724>
etc.

There are links to the relevant Cisco documents etc. there.

Maile - email me off list if you like and I can give you a steer on some of this stuff.

--
Nathan Ward

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Freeradius DHCP

Maile Halatuituia
Hi Now I can manage to send this to my Radius Server from the BRAS.

Note the packet below is the first start and the next interim Update.

Also note there is a Username field as well.

Is there is a way that I can use this Username Field to authenticate before BRAS assign the private ips  ....



Wed Aug 14 13:17:53 2019
        Acct-Session-Id = "000001FF"
        Framed-IP-Address = Private IP
        Cisco-AVPair = "connect-progress=Call Up"
        Acct-Authentic = Local
        Acct-Status-Type = Start
        Calling-Station-Id = "MAC Address"
        Service-Type = Framed-User
        NAS-IP-Address = IP Address
        PMIP6-Home-HN-Prefix = 3035:4531:4231::/48
        Event-Timestamp = "Aug 14 2019 13:21:21 +13"
        NAS-Identifier = "HA_BNG3"
        Acct-Delay-Time = 0
        User-Name = "@realm"
        Acct-Unique-Session-Id = "80d574130500fc9e3dcc53196fe7449e"
        Stripped-User-Name = ""
        Realm = "realm"
        Timestamp = 1565741873

Wed Aug 14 13:23:17 2019
        Acct-Session-Id = "000001FF"
        Framed-IP-Address = Private IP
        Cisco-AVPair = "connect-progress=Call Up"
        Acct-Session-Time = 324
        Acct-Authentic = Local
        Acct-Status-Type = Interim-Update
        Calling-Station-Id = "MAC"
        Service-Type = Framed-User
        NAS-IP-Address = NAS IP
        PMIP6-Home-HN-Prefix = 3035:4531:4231::/48
        Event-Timestamp = "Aug 14 2019 13:26:45 +13"
        NAS-Identifier = "HA_BNG3"
        Acct-Delay-Time = 0
        User-Name = "@realm"
        Acct-Unique-Session-Id = "80d574130500fc9e3dcc53196fe7449e"
        Stripped-User-Name = ""
        Realm = "realm"
        Timestamp = 1565742197

-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+maile.halatuituia=[hidden email]> On Behalf Of Maile Halatuituia
Sent: Tuesday, 13 August 2019 2:34 PM
To: FreeRadius users mailing list <[hidden email]>
Subject: RE: Freeradius DHCP

Hi Nathan
Please can you send me your private email


-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+maile.halatuituia=[hidden email]> On Behalf Of Nathan Ward
Sent: Tuesday, 13 August 2019 1:34 AM
To: FreeRadius users mailing list <[hidden email]>
Subject: Re: Freeradius DHCP


> On 12/08/2019, at 11:47 PM, Alan DeKok <[hidden email]> wrote:
>
> On Aug 11, 2019, at 9:24 PM, Maile Halatuituia <[hidden email]> wrote:
>> Actually I was referring to the PPPoE like Authentication and you have confirmed DHCP does not do the same.
>>
>> Any idea how I would achieve at least similar to PPPoE. I mean is it possible to authenticate DHCP clients before assigning the Address. I mean similar to what PPP does with Freeradius on PPPoE.
>
>  On Cisco devices, this is "mac auth".  You need to configure the Cisco NAS to do Mac auth.  There's also a guide in the FreeRADIUS Wiki for configuring Mac Auth on the server.


Hi Alan,

I think what he’s wanting to do, based on other ML threads, is more “ISG” on a BNG. This takes DHCP DISCOVER messages, and talks to RADIUS to authenticate them based on whatever - usually option 82 information - and passes back confusing Cisco AVPs with terrible confusing names to tweak what the BNG does.

https://lists.gt.net/cisco/nsp/201724 <https://lists.gt.net/cisco/nsp/201724>
etc.

There are links to the relevant Cisco documents etc. there.

Maile - email me off list if you like and I can give you a steer on some of this stuff.

--
Nathan Ward

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html