diff options
Diffstat (limited to 'doc/examples/kea4/hooks-radius.json')
-rw-r--r-- | doc/examples/kea4/hooks-radius.json | 224 |
1 files changed, 224 insertions, 0 deletions
diff --git a/doc/examples/kea4/hooks-radius.json b/doc/examples/kea4/hooks-radius.json new file mode 100644 index 0000000..f00190e --- /dev/null +++ b/doc/examples/kea4/hooks-radius.json @@ -0,0 +1,224 @@ +// This is an example configuration file for the DHCPv4 server in Kea +// illustrating the configuration of the RADIUS and Host Cache hooks libraries. +// +// It is not intended to be used as is. It tries to showcase some of the +// parameters available. +// +// To use this configuration file, you need to have both RADIUS and +// Host Cache hooks. These are currently available to support customers only. +// +// clients get a wine name (option AOP code 250) divided into red and white. +// Expensive brands have a host entry, i.e. a reserved address. +// +// Names +// +// brouilly (red) +// chablis (white) +// chambertin (red, expensive) +// chinon (red) +// chiroubles (red) +// condrieu (white) +// cornas (red) +// corton (red) +// fleurie (red) +// givry (red) +// margaux (red, expensive) +// meursault (white) +// montrachet (white, expensive) +// morgon (red) +// muscadet (white) +// petrus (red, expensive) +// riesling (white) +// romanee (red, expensive) +// sylvaner (white) +// yquem (white, expensive) +// +// Address space is 192.0.2.0/24 with 10-99 for reds and 110-199 for whites. +// +// Reservations are given here in Kea/JSON style but they must be +// in the RADIUS server configuration: +// +// { +// "flex-id": "'chambertin'", +// "ip-address": "192.0.2.10" +// }, +// { +// "flex-id": "'margaux'", +// "ip-address": "192.0.2.11" +// }, +// { +// "flex-id": "'petrus'", +// "ip-address": "192.0.2.12" +// }, +// { +// "flex-id": "'romanee'", +// "ip-address": "192.0.2.13" +// }, +// { +// "flex-id": "'montrachet'", +// "ip-address": "192.0.2.110" +// }, +// { +// "flex-id": "'yquem'", +// "ip-address": "192.0.2.111" +// } +// + +{"Dhcp4": + +{ + // Kea is told to listen on specific interfaces only. + "interfaces-config": { + // You should probably list your network interfaces here (e.g. "eth1961") + "interfaces": [ "eth1961" ] + }, + + // Set up the storage for leases. + "lease-database": { + "type": "memfile" + }, + + // Note there is hosts-database defined. RADIUS and Host Cache libraries + // will create them dynamically. + + // RADIUS uses flex-id reservations, so restrict Kea to use flex-id only. + "host-reservation-identifiers": [ "flex-id" ], + + // Define the AOP option. + "option-def": [ { + "name": "AOP", + "code": 250, + "type": "string" } ], + + // Define red and white client classes. + // If they are not defined we can get spurious warnings. + "client-classes": [ + { "name": "red" }, + { "name": "white" } ], + + // Define a subnet. + "subnet4": [ { + // Set the subnet ID (aka RADIUS NAS port). + "id": 14, + "subnet": "192.0.2.0/24", + "interface": "eth1961", + "pools": [ + { + // Red pool (10-19 are for reservations) + "pool": "192.0.2.20-192.0.2.99", + "client-class": "red" + }, + { + // White pool (110-119 are for reservations) + "pool": "192.0.2.120-192.0.2.199", + "client-class": "white" + } + + // Note there are not pools available to anyone. This is + // important to note. This means that to get an address, the + // client needs to belong to red class, to white class or + // have an address reserved. + ] + } ], + + // Set up the hooks libraries. + "hooks-libraries": [ + { + // Load the flex-id hook library. + "library": "/usr/local/lib/kea/hooks/libdhcp_flex_id.so", + + "parameters": { + // Take the ID from the AOP option. + "identifier-expression": "option[250].text", + + // Replace the client ID in queries by the flex-id. + // Currently required by access code. + // Required for accounting as it will become the lease ID too. + "replace-client-id": true + } + }, + { + // Load the host cache hook library. It is needed by the RADIUS + // library to keep the attributes from authorization to later user + // for accounting. + "library": "/usr/local/lib/kea/hooks/libdhcp_host_cache.so" + }, + { + // Load the RADIUS hook library. + "library": "/usr/local/lib/kea/hooks/libdhcp_radius.so", + + "parameters": { + // If do not use RFC 4361 + // "extract-duid": false, + + // If have conflicting subnets + // "reselect-subnet-pool": true, + + // Strip the 0 type added by flex-id + "client-id-pop0": true, + + // flex Id is printable (far easier for the RADIUS server config) + // Without this it will be in hexadecimal... + "client-id-printable": true, + + // Use the flex-id. + "identifier-type4": "flex-id", + + // Configure an access (aka authentication/authorization) server. + "access": { + + // This starts the list of access servers + "servers": [ + { + // These are parameters for the first (and only) access server + "name": "127.0.0.1", + "port": 1812, + "secret": "secret" + } + // Additional access servers could be specified here + ], + + // This define a list of additional attributes Kea will send to each + // access server in Access-Request. + "attributes": [ + { + // This attribute is identified by name (must be present in the + // dictionary) and has static value (i.e. the same value will be + // sent to every server for every packet) + "name": "Password", + "data": "mysecretpassword" + }, + { + // It's also possible to specify an attribute using its type, + // rather than a name. 77 is Connect-Info. The value is specified + // using hex. Again, this is a static value. It will be sent the + // same for every packet and to every server. + "type": 77, + "raw": "65666a6a71" + }, + { + // This example shows how an expression can be used to send dynamic + // value. The expression (see Section 13) may take any value from + // the incoming packet or even its metadata (e.g. the interface + // it was received over from) + "name": "Configuration-Token", + "expr": "pkt.iface" + } + ] // End of attributes + }, + + // Configure an accounting server. + "accounting": { + "servers": [ { + "name": "127.0.0.1", + "port": 1813, + "secret": "secret" + } + ] + } + } + } + ] +} + +} |