How to bind-map 802.1X identity to DHCP-provided IP address ?

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

How to bind-map 802.1X identity to DHCP-provided IP address ?

Olivier
Hello,

For logging purpose in MSCHAPv2 WiFi environment, I would like to enforce
or log a 802.1X ID-to-IP address map.

1. What are the available options to implement this ?
I'm daily using ISC DHCP or Dnsmasq for implementing DHCP services but I
wouldn't hesitate to use something (Freeradius, ISC Kea, whatever, ..) if
that helped.

2. I've read that DHCP Option 82 suboptions could be used with DHCP Relay
to inject in DHCP requests some additional data but I fail to see how
802.1X could be part of this injected data.
Is it worth digging this path ?

Best regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to bind-map 802.1X identity to DHCP-provided IP address ?

Alan DeKok-2
On Mar 5, 2021, at 10:50 AM, Olivier <[hidden email]> wrote:
>
> For logging purpose in MSCHAPv2 WiFi environment, I would like to enforce
> or log a 802.1X ID-to-IP address map.

  What does that mean?  Details matter here.

> 1. What are the available options to implement this ?
> I'm daily using ISC DHCP or Dnsmasq for implementing DHCP services but I
> wouldn't hesitate to use something (Freeradius, ISC Kea, whatever, ..) if
> that helped.

  ISC and Kea are both pretty bare-bones DHCP servers.  They have very limited support for policies.  So you can't correlate RADIUS identities with DHCP address assignments.

  Of course, FreeRADIUS can do this...

> 2. I've read that DHCP Option 82 suboptions could be used with DHCP Relay
> to inject in DHCP requests some additional data but I fail to see how
> 802.1X could be part of this injected data.

  It can't be.

  So what do you want to do?  Ensure the User-Name X is assigned IP address Y?

  The simple thing is to just configure FreeRADIUS to do that.  You can use IP pools, and write policy checks.

  Then, configure FreeRADIUS as a DHCP server, and do lookups in the IP pools. :)

  Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html