freeradius-config 3.0.16+dfsg-1ubuntu3 / etc / freeradius / 3.0 / sites-available / dhcp

This file is indexed.

/etc/freeradius/3.0/sites-available/dhcp is in freeradius-config 3.0.16+dfsg-1ubuntu3.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
# -*- text -*-
######################################################################
#
#	This is a virtual server that handles DHCP.
#
#  See raddb/mods-available/dhcp_sqlippool for the IP Pool configuration.
#
#  See raddb/policy.d/dhcp_sqlippool for the "glue" code that allows
#  the RADIUS based "sqlippool" module to be used for DHCP.
#
#  See raddb/mods-config/sql/ippool/ for the schemas.
#
#  See raddb/sites-available/dhcp for instructions on how to configure
#  the DHCP server.
#
#	$Id: 595b1c29acd6ff1bee8478a00771ff774a3fc51a $
#
######################################################################

#
#  The DHCP functionality goes into a virtual server.
#
server dhcp {

#  Define a DHCP socket.
#
#  The default port below is 6700, so you don't break your network.
#  If you want it to do real DHCP, change this to 67, and good luck!
#
#  You can also bind the DHCP socket to an interface.
#  See below, and raddb/radiusd.conf for examples.
#
#  This lets you run *one* DHCP server instance and have it listen on
#  multiple interfaces, each with a separate policy.
#
#  If you have multiple interfaces, it is a good idea to bind the
#  listen section to an interface.  You will also need one listen
#  section per interface.
#
#  FreeBSD does *not* support binding sockets to interfaces.  Therefore,
#  if you have multiple interfaces, broadcasts may go out of the wrong
#  one, or even all interfaces.  The solution is to use the "setfib" command.
#  If you have a network "10.10.0/24" on LAN1, you will need to do:
#
#  Pick any IP on the 10.10.0/24 network
#	$ setfib 1 route add default 10.10.0.1
#
#  Edit /etc/rc.local, and add a line:
#	setfib 1 /path/to/radiusd
#
#  The kern must be built with the following options:
#	options    ROUTETABLES=2
#  or any value larger than 2.
#
# The other only solution is to update FreeRADIUS to use BPF sockets.
#
listen {
	#  This is a dhcp socket.
	type = dhcp

	#  IP address to listen on. Will usually be the IP of the
	#  interface, or 0.0.0.0
	ipaddr = 127.0.0.1

	#  source IP address for unicast packets sent by the
	#  DHCP server.
	#
	#  The source IP for unicast packets is chosen from the first
	#  one of the following items which returns a valid IP
	#  address:
	#
	#	src_ipaddr
	#	ipaddr
	#	reply:DHCP-Server-IP-Address
	#	reply:DHCP-DHCP-Server-Identifier
	#
	src_ipaddr = 127.0.0.1

	#  The port should be 67 for a production network. Don't set
	#  it to 67 on a production network unless you really know
	#  what you're doing. Even if nothing is configured below, the
	#  server may still NAK legitimate responses from clients.
	port = 6700

	#  Interface name we are listening on. See comments above.
#	interface = lo0

	# The DHCP server defaults to allowing broadcast packets.
	# Set this to "no" only when the server receives *all* packets
	# from a relay agent.  i.e. when *no* clients are on the same
	# LAN as the DHCP server.
	#
	# It's set to "no" here for testing. It will usually want to
	# be "yes" in production, unless you are only dealing with
	# relayed packets.
	broadcast = no

	# On Linux if you're running the server as non-root, you
	# will need to do:
	#
	#	sudo setcap cap_net_admin=ei /path/to/radiusd
	#
	# This will allow the server to set ARP table entries
	# for newly allocated IPs
}

#  Packets received on the socket will be processed through one
#  of the following sections, named after the DHCP packet type.
#  See dictionary.dhcp for the packet types.

#  Return packets will be sent to, in preference order:
#     DHCP-Gateway-IP-Address
#     DHCP-Client-IP-Address
#     DHCP-Your-IP-Address
#  At least one of these attributes should be set at the end of each
#  section for a response to be sent.

dhcp DHCP-Discover {

	#  Set the type of packet to send in reply.
	#
	#  The server will look at the DHCP-Message-Type attribute to
	#  determine which type of packet to send in reply. Common
	#  values would be DHCP-Offer, DHCP-Ack or DHCP-NAK. See
	#  dictionary.dhcp for all the possible values.
	#
	#  DHCP-Do-Not-Respond can be used to tell the server to not
	#  respond.
	#
	#  In the event that DHCP-Message-Type is not set then the
	#  server will fall back to determining the type of reply
	#  based on the rcode of this section.

	update reply {
	       DHCP-Message-Type = DHCP-Offer
	}

	#  The contents here are invented.  Change them!
	update reply {
		&DHCP-Domain-Name-Server = 127.0.0.1
		&DHCP-Domain-Name-Server = 127.0.0.2
		&DHCP-Subnet-Mask = 255.255.255.0
		&DHCP-Router-Address = 192.0.2.1
		&DHCP-IP-Address-Lease-Time = 86400
		&DHCP-DHCP-Server-Identifier = 192.0.2.1
	}

	#  Do a simple mapping of MAC to assigned IP.
	#
	#  See below for the definition of the "mac2ip"
	#  module.
	#
	#mac2ip

	#  If the MAC wasn't found in that list, do something else.
	#  You could call a Perl, Python, or Java script here.

	#if (notfound) {
	# ...
	#}

	#  Or, allocate IPs from the DHCP pool in SQL. You may need to
	#  set the pool name here if you haven't set it elsewhere.
#	update control {
#		&Pool-Name := "local"
#	}
#	dhcp_sqlippool

	#  If DHCP-Message-Type is not set, returning "ok" or
	#  "updated" from this section will respond with a DHCP-Offer
	#  message.
	#
	#  Other rcodes will tell the server to not return any response.
	ok
}

dhcp DHCP-Request {

	# Response packet type. See DHCP-Discover section above.
	update reply {
	       &DHCP-Message-Type = DHCP-Ack
	}

	#  The contents here are invented.  Change them!
	update reply {
		&DHCP-Domain-Name-Server = 127.0.0.1
		&DHCP-Domain-Name-Server = 127.0.0.2
		&DHCP-Subnet-Mask = 255.255.255.0
		&DHCP-Router-Address = 192.0.2.1
		&DHCP-IP-Address-Lease-Time = 86400
		&DHCP-DHCP-Server-Identifier = 192.0.2.1
	}

	#  Do a simple mapping of MAC to assigned IP.
	#
	#  See below for the definition of the "mac2ip"
	#  module.
	#
	#mac2ip

	#  If the MAC wasn't found in that list, do something else.
	#  You could call a Perl, Python, or Java script here.

	#if (notfound) {
	# ...
	#}

	#  Or, allocate IPs from the DHCP pool in SQL. You may need to
	#  set the pool name here if you haven't set it elsewhere.
#	update control {
#		&Pool-Name := "local"
#	}
#	dhcp_sqlippool

	#  If DHCP-Message-Type is not set, returning "ok" or
	#  "updated" from this section will respond with a DHCP-Ack
	#  packet.
	#
	#  "handled" will not return a packet, all other rcodes will
	#  send back a DHCP-NAK.
	ok
}

#
#  Other DHCP packet types
#
#  There should be a separate section for each DHCP message type.
#  By default this configuration will ignore them all. Any packet type
#  not defined here will be responded to with a DHCP-NAK.

dhcp DHCP-Decline {
	update reply {
	       &DHCP-Message-Type = DHCP-Do-Not-Respond
	}
	reject
}

dhcp DHCP-Inform {
	update reply {
	       &DHCP-Message-Type = DHCP-Do-Not-Respond
	}
	reject
}

#
#  For Windows 7 boxes
#
#dhcp DHCP-Inform {
#	update reply {
#		Packet-Dst-Port = 67
#		DHCP-Message-Type = DHCP-ACK
#		DHCP-DHCP-Server-Identifier = "%{Packet-Dst-IP-Address}"
#		DHCP-Site-specific-28 = 0x0a00
#	}
#	ok
#}

dhcp DHCP-Release {
	update reply {
	       &DHCP-Message-Type = DHCP-Do-Not-Respond
	}
	reject
}


dhcp DHCP-Lease-Query {
	#  The thing being queried for is implicit
	#  in the packets.

	# has MAC, asking for IP, etc.
	if (&DHCP-Client-Hardware-Address) {
		# look up MAC in database
	}

	# has IP, asking for MAC, etc.
	elsif (&DHCP-Your-IP-Address) {
		# look up IP in database
	}

	# has host name, asking for IP, MAC, etc.
	elsif (&DHCP-Client-Identifier) {
		# look up identifier in database
	}
	else {
		update reply {
			&DHCP-Message-Type = DHCP-Lease-Unknown
		}

		ok

		# stop processing
		return
	}

	#
	#  We presume that the database lookup returns "notfound"
	#  if it can't find anything.
	#
	if (notfound) {
		update reply {
			&DHCP-Message-Type = DHCP-Lease-Unknown
		}
		ok
		return
	}

	#
	#	Add more logic here.  Is the lease inactive?
	#	If so, respond with DHCP-Lease-Unassigned.
	#
	#	Otherwise, respond with DHCP-Lease-Active
	#

	#
	#	Also be sure to return ALL information about
	#	the lease.
	#

	#
	#	The reply types are:
	#
	#	DHCP-Lease-Unknown
	#	DHCP-Lease-Active
	#	DHCP-Lease-Unassigned
	#
	update reply {
		&DHCP-Message-Type = DHCP-Lease-Unassigned
	}

}

}

######################################################################
#
#  This next section is a sample configuration for the "passwd"
#  module, that reads flat-text files.  It should go into
#  radiusd.conf, in the "modules" section.
#
#  The file is in the format <mac>,<ip>
#
#	00:01:02:03:04:05,192.0.2.100
#	01:01:02:03:04:05,192.0.2.101
#	02:01:02:03:04:05,192.0.2.102
#
#  This lets you perform simple static IP assignment.
#
#  There is a preconfigured "mac2ip" module setup in
#  mods-available/mac2ip. To use it do:
#
#    # cd raddb/
#    # ln -s ../mods-available/mac2ip mods-enabled/mac2ip
#    # mkdir mods-config/passwd
#
#  Then create the file mods-config/passwd/mac2ip with the above
#  format.
#
######################################################################


#  This is an example only - see mods-available/mac2ip instead; do
#  not uncomment these lines here.
#
#passwd mac2ip {
#	filename = ${confdir}/mac2ip
#	format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address"
#	delimiter = ","
#}

APT Browse - Built by Thomas Orozco.