diff options
Diffstat (limited to '')
-rw-r--r-- | raddb/mods-available/dhcp | 19 | ||||
-rw-r--r-- | raddb/mods-available/dhcp_files | 56 | ||||
-rw-r--r-- | raddb/mods-available/dhcp_passwd | 20 | ||||
-rw-r--r-- | raddb/mods-available/dhcp_sql | 92 | ||||
-rw-r--r-- | raddb/mods-available/dhcp_sqlippool | 101 |
5 files changed, 288 insertions, 0 deletions
diff --git a/raddb/mods-available/dhcp b/raddb/mods-available/dhcp new file mode 100644 index 0000000..a431633 --- /dev/null +++ b/raddb/mods-available/dhcp @@ -0,0 +1,19 @@ +# -*- text -*- +# +# $Id$ + +# +# This module is useful only for 'xlat'. To use it, +# put 'dhcp' into the 'instantiate' section. +# +# %{dhcp_options:<Attribute-ref>} may be used to decode +# DHCP options data included in RADIUS packets by vendors +# of DHCP to RADIUS gateways. +# +# This is known to work with the following VSAs: +# * Juniper - ERX-Dhcp-Options +# * Alcatel lucent SR - Alc-ToServer-Dhcp-Options +# - Alc-ToClient-Dhcp-Options +# +dhcp { +} diff --git a/raddb/mods-available/dhcp_files b/raddb/mods-available/dhcp_files new file mode 100644 index 0000000..243a241 --- /dev/null +++ b/raddb/mods-available/dhcp_files @@ -0,0 +1,56 @@ +# -*- text -*- +# +# $Id$ + +# Instances of the "files" module for managing DHCP options +# +files dhcp_network { + # The file containing network-specific DHCP options mapping + filename = ${modconfdir}/files/dhcp + + # For network lookups we use a fixed key. Matching + # actual networks is done by additional filtering within + # the file + key = "network" +} + +files dhcp_subnet { + # The file containing subnet-specific DHCP options mapping + filename = ${modconfdir}/files/dhcp + + # For subnet lookups we use a fixed key. Matching + # actual subnets is done by additional filtering within + # the file + key = "subnet" +} + +files dhcp_set_group_options { + # An example of looking up DHCP group options. This + # is designed to be called from a policy configured in + # policy.d/dhcp. + # + # If clients are never members of more than one group, + # then this could be simplified such that DHCP-Group-Name + # is used here in place of Foreach-Variable-0 and this + # module instance called directly rather than the policy + + # Use the same file as for subnets - could be split + # for large, complex installations + filename = ${modconfdir}/files/dhcp + + # The key is a temporary string populated by the calling policy + # which uses a foreach loop. + key = "%{Foreach-Variable-0}" +} + +files dhcp_hosts { + # An example of a DHCP host mapping for option setting + + # Use the same file as for subnets - could be split + # for large, complex installations + filename = ${modconfdir}/files/dhcp + + # If a different identifier is needed for looking up + # host specific entries then amend this key. + key = "host-%{DHCP-Client-Hardware-Address}" +} diff --git a/raddb/mods-available/dhcp_passwd b/raddb/mods-available/dhcp_passwd new file mode 100644 index 0000000..7884a00 --- /dev/null +++ b/raddb/mods-available/dhcp_passwd @@ -0,0 +1,20 @@ +# -*- text -*- +# +# $Id$ + +# An instance of the passwd module designed for looking up +# DHCP client membership. This example is based on hardware +# address. +# The "groups" file should be of the format: +# <group name>|<hardware address>,<hardware address>,<hardware address> +# <group name>|<hardware address>,<hardware address>,<hardware address> +# +# See the passwd module for more details. + +passwd dhcp_group_membership { + filename = "${modconfdir}/files/dhcp_groups" + format = "~DHCP-Group-Name:*,DHCP-Client-Hardware-Address" + hash_size = 100 + allow_multiple_keys = yes + delimiter = "|" +} diff --git a/raddb/mods-available/dhcp_sql b/raddb/mods-available/dhcp_sql new file mode 100644 index 0000000..20dbe3a --- /dev/null +++ b/raddb/mods-available/dhcp_sql @@ -0,0 +1,92 @@ +# -*- text -*- +## +## mods-available/sql -- SQL modules +## +## $Id$ + +###################################################################### +# +# Configuration for the DHCP-specific instance of the SQL module +# +# The database schemas and queries are located in subdirectories: +# +# sql/dhcp/<DB>/schema.sql Schema +# sql/dhcp/<DB>/queries.conf Reply options lookup queries +# +# Where "DB" is mysql, mssql, oracle, or postgresql. +# + +# +# See raddb/mods-available/sql for a description of the configuration items +# for the sql module. +# +sql dhcp_sql { + dialect = "sqlite" + driver = "rlm_sql_null" +# driver = "rlm_sql_${dialect}" + + sqlite { + filename = "/tmp/freeradius.db" + busy_timeout = 200 + bootstrap = "${modconfdir}/${..:name}/dhcp/sqlite/schema.sql" + } + + mysql { + tls { + ca_file = "/etc/ssl/certs/my_ca.crt" + ca_path = "/etc/ssl/certs/" + certificate_file = "/etc/ssl/certs/private/client.crt" + private_key_file = "/etc/ssl/certs/private/client.key" + cipher = "DHE-RSA-AES256-SHA:AES128-SHA" + + tls_required = yes + tls_check_cert = no + tls_check_cert_cn = no + } + warnings = auto + } + + postgresql { + send_application_name = yes + } + + mongo { + appname = "freeradius" + tls { + certificate_file = /path/to/file + certificate_password = "password" + ca_file = /path/to/file + ca_dir = /path/to/directory + crl_file = /path/to/file + weak_cert_validation = false + allow_invalid_hostname = false + } + } + +# server = "localhost" +# port = 3306 +# login = "radius" +# password = "radpass" + + radius_db = "radius" + + dhcpreply_table = "dhcpreply" + groupreply_table = "dhcpgroupreply" + dhcpgroup_table = "dhcpgroup" + read_groups = no + + pool { + start = ${thread[pool].start_servers} + min = ${thread[pool].min_spare_servers} + max = ${thread[pool].max_servers} + spare = ${thread[pool].max_spare_servers} + uses = 0 + retry_delay = 30 + lifetime = 0 + idle_timeout = 60 + } + + group_attribute = "${.:instance}-SQL-Group" + + $INCLUDE ${modconfdir}/${.:name}/dhcp/${dialect}/queries.conf +} diff --git a/raddb/mods-available/dhcp_sqlippool b/raddb/mods-available/dhcp_sqlippool new file mode 100644 index 0000000..909b93c --- /dev/null +++ b/raddb/mods-available/dhcp_sqlippool @@ -0,0 +1,101 @@ +# Configuration for DHCP for the SQL based IP Pools module (rlm_sqlippool). +# +# See raddb/mods-available/sqlippool for common configuration explanation +# +# See raddb/policy.d/dhcp_sqlippool for the "glue" code that allows +# the RADIUS based "sqlippool" module to be used for DHCP. +# +# See raddb/sites-available/dhcp for instructions on how to configure +# the DHCP server. +# +# The database schemas are available at: +# +# raddb/mods-config/sql/ippool-dhcp/<DB>/schema.sql +# +# $Id$ + +sqlippool dhcp_sqlippool { + # SQL instance to use (from mods-available/sql) + # + # If you have multiple sql instances, such as "sql sql1 {...}", + # use the *instance* name here: sql1. + sql_module_instance = "dhcp_sql" + + # This is duplicative of info available in the SQL module, but + # we have to list it here as we do not yet support nested + # reference expansions. + dialect = "mysql" + + # Name of the check item attribute to be used as a key in the SQL queries + pool_name = "Pool-Name" + + # SQL table to use for ippool range and lease info + ippool_table = "dhcpippool" + + # The duration for which a lease is reserved whilst under offer + offer_duration = 10 + + # IP lease duration. (Leases expire even if no DHCP-Release packet is received) + # Either use the value to be sent to the client or a hard coded one. + lease_duration = "%{reply:DHCP-IP-Address-Lease-Time}" + #lease_duration = 7200 + + # The attribute in which the IP address is returned in the reply + attribute_name = "DHCP-Your-IP-Address" + + # Assign the IP address, even if the above attribute already exists in + # the reply. + # +# allow_duplicates = no + + # The attribute in which an IP address hint may be supplied + req_attribute_name = "DHCP-Requested-IP-Address" + + # + # RFC 2132 allows the DHCP client to supply a unique + # identifier ("uid") using Option 61 (DHCP-Client-Identifier) + # in which case it must be used as the lookup key for + # configuration data. + # + pool_key = "%{%{DHCP-Client-Identifier}:-%{DHCP-Client-Hardware-Address}}" + # + # The "uid" is generated by the OS which means that clients + # whose BMC piggybacks on the main interface (sharing its MAC, + # but generating a distinct uid) and dual-booting clients can + # be allocated multiple IPs, consuming more pool entries. To + # avoid this you can ignore the RFCs and key the configuration + # data based only on the client MAC address. + # + # pool_key = "%{DHCP-Client-Hardware-Address}" + + ################################################################ + # + # WARNING: MySQL (MyISAM) has certain limitations that means it can + # hand out the same IP address to 2 different users. + # + # We suggest using an SQL DB with proper transaction + # support, such as PostgreSQL, or using MySQL + # with InnoDB. + # + ################################################################ + + # These messages are added to the "control" items, as + # Module-Success-Message. They are not logged anywhere else, + # unlike previous versions. If you want to have them logged + # to a file, see the "linelog" module, and create an entry + # which writes Module-Success-Message message. + # + messages { + exists = "DHCP: Existing IP: %{reply:${..attribute_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" + + success = "DHCP: Allocated IP: %{reply:${..attribute_name}} from %{control:${..pool_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" + + clear = "DHCP: Released IP %{DHCP-Client-IP-Address} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" + + failed = "DHCP: IP Allocation FAILED from %{control:${..pool_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" + + nopool = "DHCP: No ${..pool_name} defined (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" + } + + $INCLUDE ${modconfdir}/sql/ippool-dhcp/${dialect}/queries.conf +} |