1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
== Testing the DHCP service
We can verify that FreeRADIUS is providing a DHCP service using the
`dhcpclient` tool that is included with the FreeRADIUS distribution.
Temporarily configure FreeRADIUS to issue a single static IP address to all
clients by updating the `dhcp DHCP-Discover` section in the `dhcp` virtual
server to include the following:
[source,unlang]
----
update reply {
&DHCP-Your-IP-Address := 1.2.3.4
}
----
Define a sample DHCP packet as follows:
[source,shell]
----
cat <<EOF > dhcp-packet.txt
DHCP-Message-Type := DHCP-Discover
DHCP-Client-Hardware-Address := 02:01:aa:bb:cc:dd
DHCP-Client-Identifier := abc123
EOF
----
We can now generate this packet by invoking one of the following commands based
on the current circumstances...
From the host that is running the FreeRADIUS DHCP server:
[source,shell]
----
dhcpclient -i lo 255.255.255.255 -f dhcp-packet.txt -x auto
----
From a different host with an interface (eth0) in the same broadcast domain
as the FreeRADIUS DHCP server:
[source,shell]
----
dhcpclient -i eth0 255.255.255.255 -f dhcp-packet.txt -x auto
----
If all of the DHCP broadcast traffic in other Layer 2 networks is converted to
unicast by DHCP relay agents then it is not necessary for FreeRADIUS to listen
on a broadcast address. In this case you can test DHCP using a unicast request:
[source,shell]
----
dhcpclient 192.0.2.10 -f dhcp-packet.txt -x auto
----
[NOTE]
====
In order for the returned, unicast DHCP OFFER to be received it is necessary to
ensure that the `DHCP-Your-IP-Address` parameter set by FreeRADIUS matches an
address on the interface used by the dhcpclient tool to send the Discover
packet.
====
When one of the above commands is run, the tool with generate output such as
the following which shows that the packet was sent and that it is now waiting
for replies:
.Example output from dhcpclient showing the request
===================================================
dhcpclient: ...
----------------------------------------------------------------------
DHCP-Opcode = 0x01
DHCP-Hardware-Type = 0x01
DHCP-Hardware-Address-Length = 0x06
DHCP-Hop-Count = 0x00
DHCP-Transaction-Id = 0x5e0bbfab
DHCP-Number-of-Seconds = 0x0000
DHCP-Flags = 0x0000
DHCP-Client-IP-Address = 0x00000000
DHCP-Your-IP-Address = 0x00000000
DHCP-Server-IP-Address = 0x00000000
DHCP-Gateway-IP-Address = 0x00000000
...
----------------------------------------------------------------------
Waiting for DHCP replies for: 5.000000
----------------------------------------------------------------------
===================================================
Each received DHCP response will generate output such as the following:
.Example output from dhcpclient showing a response
==================================================
...
----------------------------------------------------------------------
DHCP-Opcode = Server-Message
DHCP-Hardware-Type = Ethernet
DHCP-Hardware-Address-Length = 6
DHCP-Hop-Count = 0
DHCP-Transaction-Id = 1577828267
DHCP-Number-of-Seconds = 0
DHCP-Flags = 0
DHCP-Client-IP-Address = 0.0.0.0
DHCP-Your-IP-Address = 1.2.3.4
DHCP-Server-IP-Address = 192.0.2.10
DHCP-Gateway-IP-Address = 0.0.0.0
DHCP-Client-Hardware-Address = 02:42:0a:00:00:0b
DHCP-Message-Type = DHCP-Offer
DHCP-Client-Identifier = 0x616263313233
Waiting for additional DHCP replies for: 4.999429
...
==================================================
Examine the DHCP response to ensure that it has the correct message type
(`DHCP-Offer`, in this case), contains the temporary IP address that you
configured earlier, i.e. `DHCP-Your-IP-Address = 1.2.3.4`, and any other
expected reply parameters (which we configure later). You should also carefully
examine the output of a FreeRADIUS debug session (`radius -X`) to ensure that
the policy is being executed in the way that you expect and that no warnings
are being generated.
You can now change the content of the sample DHCP request by editing the
`dhcp-packet.txt` file and re-run the above command to see the server's reply.
You should examine the DHCP dictionary distrubuted with FreeRADIUS (usually
`/usr/share/freeradius/dictionary.dhcp`) which provides the list of all of the
DHCP parameters ("attributes") understood by FreeRADIUS.
[WARNING]
====
When you are done **remember** to remove the temporary edit that was made to
the `dhcp` virtual server that provides the static IP assignment.
====
=== Testing the DHCP policy
The remainder of this guide describes how to configure the IP address plan,
setup the IP pools and define a DHCP policy. You should develop your policy by
making small, incremental changes to the provided configuration and then test
those changes with the approach described above, using `dhcpclient` and `radius -X`,
modifying the sample DHCP packet as required. If you break the policy then
revert the last change, attempt to understand what went wrong, and try
something else.
Now xref:protocols/dhcp/policy.adoc[define the DHCP policy].
|
