summaryrefslogtreecommitdiffstats
path: root/raddb/mods-available/dhcp
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--raddb/mods-available/dhcp19
-rw-r--r--raddb/mods-available/dhcp_files56
-rw-r--r--raddb/mods-available/dhcp_passwd20
-rw-r--r--raddb/mods-available/dhcp_sql92
-rw-r--r--raddb/mods-available/dhcp_sqlippool101
5 files changed, 288 insertions, 0 deletions
diff --git a/raddb/mods-available/dhcp b/raddb/mods-available/dhcp
new file mode 100644
index 0000000..a431633
--- /dev/null
+++ b/raddb/mods-available/dhcp
@@ -0,0 +1,19 @@
+# -*- text -*-
+#
+# $Id$
+
+#
+# This module is useful only for 'xlat'. To use it,
+# put 'dhcp' into the 'instantiate' section.
+#
+# %{dhcp_options:<Attribute-ref>} may be used to decode
+# DHCP options data included in RADIUS packets by vendors
+# of DHCP to RADIUS gateways.
+#
+# This is known to work with the following VSAs:
+# * Juniper - ERX-Dhcp-Options
+# * Alcatel lucent SR - Alc-ToServer-Dhcp-Options
+# - Alc-ToClient-Dhcp-Options
+#
+dhcp {
+}
diff --git a/raddb/mods-available/dhcp_files b/raddb/mods-available/dhcp_files
new file mode 100644
index 0000000..243a241
--- /dev/null
+++ b/raddb/mods-available/dhcp_files
@@ -0,0 +1,56 @@
+# -*- text -*-
+#
+# $Id$
+
+# Instances of the "files" module for managing DHCP options
+#
+files dhcp_network {
+ # The file containing network-specific DHCP options mapping
+ filename = ${modconfdir}/files/dhcp
+
+ # For network lookups we use a fixed key. Matching
+ # actual networks is done by additional filtering within
+ # the file
+ key = "network"
+}
+
+files dhcp_subnet {
+ # The file containing subnet-specific DHCP options mapping
+ filename = ${modconfdir}/files/dhcp
+
+ # For subnet lookups we use a fixed key. Matching
+ # actual subnets is done by additional filtering within
+ # the file
+ key = "subnet"
+}
+
+files dhcp_set_group_options {
+ # An example of looking up DHCP group options. This
+ # is designed to be called from a policy configured in
+ # policy.d/dhcp.
+ #
+ # If clients are never members of more than one group,
+ # then this could be simplified such that DHCP-Group-Name
+ # is used here in place of Foreach-Variable-0 and this
+ # module instance called directly rather than the policy
+
+ # Use the same file as for subnets - could be split
+ # for large, complex installations
+ filename = ${modconfdir}/files/dhcp
+
+ # The key is a temporary string populated by the calling policy
+ # which uses a foreach loop.
+ key = "%{Foreach-Variable-0}"
+}
+
+files dhcp_hosts {
+ # An example of a DHCP host mapping for option setting
+
+ # Use the same file as for subnets - could be split
+ # for large, complex installations
+ filename = ${modconfdir}/files/dhcp
+
+ # If a different identifier is needed for looking up
+ # host specific entries then amend this key.
+ key = "host-%{DHCP-Client-Hardware-Address}"
+}
diff --git a/raddb/mods-available/dhcp_passwd b/raddb/mods-available/dhcp_passwd
new file mode 100644
index 0000000..7884a00
--- /dev/null
+++ b/raddb/mods-available/dhcp_passwd
@@ -0,0 +1,20 @@
+# -*- text -*-
+#
+# $Id$
+
+# An instance of the passwd module designed for looking up
+# DHCP client membership. This example is based on hardware
+# address.
+# The "groups" file should be of the format:
+# <group name>|<hardware address>,<hardware address>,<hardware address>
+# <group name>|<hardware address>,<hardware address>,<hardware address>
+#
+# See the passwd module for more details.
+
+passwd dhcp_group_membership {
+ filename = "${modconfdir}/files/dhcp_groups"
+ format = "~DHCP-Group-Name:*,DHCP-Client-Hardware-Address"
+ hash_size = 100
+ allow_multiple_keys = yes
+ delimiter = "|"
+}
diff --git a/raddb/mods-available/dhcp_sql b/raddb/mods-available/dhcp_sql
new file mode 100644
index 0000000..20dbe3a
--- /dev/null
+++ b/raddb/mods-available/dhcp_sql
@@ -0,0 +1,92 @@
+# -*- text -*-
+##
+## mods-available/sql -- SQL modules
+##
+## $Id$
+
+######################################################################
+#
+# Configuration for the DHCP-specific instance of the SQL module
+#
+# The database schemas and queries are located in subdirectories:
+#
+# sql/dhcp/<DB>/schema.sql Schema
+# sql/dhcp/<DB>/queries.conf Reply options lookup queries
+#
+# Where "DB" is mysql, mssql, oracle, or postgresql.
+#
+
+#
+# See raddb/mods-available/sql for a description of the configuration items
+# for the sql module.
+#
+sql dhcp_sql {
+ dialect = "sqlite"
+ driver = "rlm_sql_null"
+# driver = "rlm_sql_${dialect}"
+
+ sqlite {
+ filename = "/tmp/freeradius.db"
+ busy_timeout = 200
+ bootstrap = "${modconfdir}/${..:name}/dhcp/sqlite/schema.sql"
+ }
+
+ mysql {
+ tls {
+ ca_file = "/etc/ssl/certs/my_ca.crt"
+ ca_path = "/etc/ssl/certs/"
+ certificate_file = "/etc/ssl/certs/private/client.crt"
+ private_key_file = "/etc/ssl/certs/private/client.key"
+ cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
+
+ tls_required = yes
+ tls_check_cert = no
+ tls_check_cert_cn = no
+ }
+ warnings = auto
+ }
+
+ postgresql {
+ send_application_name = yes
+ }
+
+ mongo {
+ appname = "freeradius"
+ tls {
+ certificate_file = /path/to/file
+ certificate_password = "password"
+ ca_file = /path/to/file
+ ca_dir = /path/to/directory
+ crl_file = /path/to/file
+ weak_cert_validation = false
+ allow_invalid_hostname = false
+ }
+ }
+
+# server = "localhost"
+# port = 3306
+# login = "radius"
+# password = "radpass"
+
+ radius_db = "radius"
+
+ dhcpreply_table = "dhcpreply"
+ groupreply_table = "dhcpgroupreply"
+ dhcpgroup_table = "dhcpgroup"
+ read_groups = no
+
+ pool {
+ start = ${thread[pool].start_servers}
+ min = ${thread[pool].min_spare_servers}
+ max = ${thread[pool].max_servers}
+ spare = ${thread[pool].max_spare_servers}
+ uses = 0
+ retry_delay = 30
+ lifetime = 0
+ idle_timeout = 60
+ }
+
+ group_attribute = "${.:instance}-SQL-Group"
+
+ $INCLUDE ${modconfdir}/${.:name}/dhcp/${dialect}/queries.conf
+}
diff --git a/raddb/mods-available/dhcp_sqlippool b/raddb/mods-available/dhcp_sqlippool
new file mode 100644
index 0000000..909b93c
--- /dev/null
+++ b/raddb/mods-available/dhcp_sqlippool
@@ -0,0 +1,101 @@
+# Configuration for DHCP for the SQL based IP Pools module (rlm_sqlippool).
+#
+# See raddb/mods-available/sqlippool for common configuration explanation
+#
+# See raddb/policy.d/dhcp_sqlippool for the "glue" code that allows
+# the RADIUS based "sqlippool" module to be used for DHCP.
+#
+# See raddb/sites-available/dhcp for instructions on how to configure
+# the DHCP server.
+#
+# The database schemas are available at:
+#
+# raddb/mods-config/sql/ippool-dhcp/<DB>/schema.sql
+#
+# $Id$
+
+sqlippool dhcp_sqlippool {
+ # SQL instance to use (from mods-available/sql)
+ #
+ # If you have multiple sql instances, such as "sql sql1 {...}",
+ # use the *instance* name here: sql1.
+ sql_module_instance = "dhcp_sql"
+
+ # This is duplicative of info available in the SQL module, but
+ # we have to list it here as we do not yet support nested
+ # reference expansions.
+ dialect = "mysql"
+
+ # Name of the check item attribute to be used as a key in the SQL queries
+ pool_name = "Pool-Name"
+
+ # SQL table to use for ippool range and lease info
+ ippool_table = "dhcpippool"
+
+ # The duration for which a lease is reserved whilst under offer
+ offer_duration = 10
+
+ # IP lease duration. (Leases expire even if no DHCP-Release packet is received)
+ # Either use the value to be sent to the client or a hard coded one.
+ lease_duration = "%{reply:DHCP-IP-Address-Lease-Time}"
+ #lease_duration = 7200
+
+ # The attribute in which the IP address is returned in the reply
+ attribute_name = "DHCP-Your-IP-Address"
+
+ # Assign the IP address, even if the above attribute already exists in
+ # the reply.
+ #
+# allow_duplicates = no
+
+ # The attribute in which an IP address hint may be supplied
+ req_attribute_name = "DHCP-Requested-IP-Address"
+
+ #
+ # RFC 2132 allows the DHCP client to supply a unique
+ # identifier ("uid") using Option 61 (DHCP-Client-Identifier)
+ # in which case it must be used as the lookup key for
+ # configuration data.
+ #
+ pool_key = "%{%{DHCP-Client-Identifier}:-%{DHCP-Client-Hardware-Address}}"
+ #
+ # The "uid" is generated by the OS which means that clients
+ # whose BMC piggybacks on the main interface (sharing its MAC,
+ # but generating a distinct uid) and dual-booting clients can
+ # be allocated multiple IPs, consuming more pool entries. To
+ # avoid this you can ignore the RFCs and key the configuration
+ # data based only on the client MAC address.
+ #
+ # pool_key = "%{DHCP-Client-Hardware-Address}"
+
+ ################################################################
+ #
+ # WARNING: MySQL (MyISAM) has certain limitations that means it can
+ # hand out the same IP address to 2 different users.
+ #
+ # We suggest using an SQL DB with proper transaction
+ # support, such as PostgreSQL, or using MySQL
+ # with InnoDB.
+ #
+ ################################################################
+
+ # These messages are added to the "control" items, as
+ # Module-Success-Message. They are not logged anywhere else,
+ # unlike previous versions. If you want to have them logged
+ # to a file, see the "linelog" module, and create an entry
+ # which writes Module-Success-Message message.
+ #
+ messages {
+ exists = "DHCP: Existing IP: %{reply:${..attribute_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
+
+ success = "DHCP: Allocated IP: %{reply:${..attribute_name}} from %{control:${..pool_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
+
+ clear = "DHCP: Released IP %{DHCP-Client-IP-Address} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
+
+ failed = "DHCP: IP Allocation FAILED from %{control:${..pool_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
+
+ nopool = "DHCP: No ${..pool_name} defined (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
+ }
+
+ $INCLUDE ${modconfdir}/sql/ippool-dhcp/${dialect}/queries.conf
+}