| # -*- text -*- |
| ###################################################################### |
| # |
| # This is a virtual server that handles DHCP. |
| # |
| # $Id: 170e2b191af7184b519d3594fa99476c857dfda5 $ |
| # |
| ###################################################################### |
| |
| # |
| # The DHCP functionality goes into a virtual server. |
| # |
| server dhcp { |
| |
| # Define a DHCP socket. |
| # |
| # The default port below is 6700, so you don't break your network. |
| # If you want it to do real DHCP, change this to 67, and good luck! |
| # |
| # You can also bind the DHCP socket to an interface. |
| # See below, and raddb/radiusd.conf for examples. |
| # |
| # This lets you run *one* DHCP server instance and have it listen on |
| # multiple interfaces, each with a separate policy. |
| # |
| # If you have multiple interfaces, it is a good idea to bind the |
| # listen section to an interface. You will also need one listen |
| # section per interface. |
| # |
| # FreeBSD does *not* support binding sockets to interfaces. Therefore, |
| # if you have multiple interfaces, broadcasts may go out of the wrong |
| # one, or even all interfaces. The solution is to use the "setfib" command. |
| # If you have a network "10.10.0/24" on LAN1, you will need to do: |
| # |
| # Pick any IP on the 10.10.0/24 network |
| # $ setfib 1 route add default 10.10.0.1 |
| # |
| # Edit /etc/rc.local, and add a line: |
| # setfib 1 /path/to/radiusd |
| # |
| # The kern must be built with the following options: |
| # options ROUTETABLES=2 |
| # or any value larger than 2. |
| # |
| # The other only solution is to update FreeRADIUS to use BPF sockets. |
| # |
| listen { |
| # This is a dhcp socket. |
| type = dhcp |
| |
| # IP address to listen on. Will usually be the IP of the |
| # interface, or 0.0.0.0 |
| ipaddr = 127.0.0.1 |
| |
| # source IP address for unicast packets sent by the |
| # DHCP server. |
| # |
| # The source IP for unicast packets is chosen from the first |
| # one of the following items which returns a valid IP |
| # address: |
| # |
| # src_ipaddr |
| # ipaddr |
| # reply:DHCP-Server-IP-Address |
| # reply:DHCP-DHCP-Server-Identifier |
| # |
| src_ipaddr = 127.0.0.1 |
| |
| # The port should be 67 for a production network. Don't set |
| # it to 67 on a production network unless you really know |
| # what you're doing. Even if nothing is configured below, the |
| # server may still NAK legitimate responses from clients. |
| port = 6700 |
| |
| # Interface name we are listening on. See comments above. |
| # interface = lo0 |
| |
| # The DHCP server defaults to allowing broadcast packets. |
| # Set this to "no" only when the server receives *all* packets |
| # from a relay agent. i.e. when *no* clients are on the same |
| # LAN as the DHCP server. |
| # |
| # It's set to "no" here for testing. It will usually want to |
| # be "yes" in production, unless you are only dealing with |
| # relayed packets. |
| broadcast = no |
| |
| # On Linux if you're running the server as non-root, you |
| # will need to do: |
| # |
| # sudo setcap cap_net_admin=ei /path/to/radiusd |
| # |
| # This will allow the server to set ARP table entries |
| # for newly allocated IPs |
| } |
| |
| # Packets received on the socket will be processed through one |
| # of the following sections, named after the DHCP packet type. |
| # See dictionary.dhcp for the packet types. |
| |
| # Return packets will be sent to, in preference order: |
| # DHCP-Gateway-IP-Address |
| # DHCP-Client-IP-Address |
| # DHCP-Your-IP-Address |
| # At least one of these attributes should be set at the end of each |
| # section for a response to be sent. |
| |
| dhcp DHCP-Discover { |
| |
| # Set the type of packet to send in reply. |
| # |
| # The server will look at the DHCP-Message-Type attribute to |
| # determine which type of packet to send in reply. Common |
| # values would be DHCP-Offer, DHCP-Ack or DHCP-NAK. See |
| # dictionary.dhcp for all the possible values. |
| # |
| # DHCP-Do-Not-Respond can be used to tell the server to not |
| # respond. |
| # |
| # In the event that DHCP-Message-Type is not set then the |
| # server will fall back to determining the type of reply |
| # based on the rcode of this section. |
| |
| update reply { |
| DHCP-Message-Type = DHCP-Offer |
| } |
| |
| # The contents here are invented. Change them! |
| update reply { |
| DHCP-Domain-Name-Server = 127.0.0.1 |
| DHCP-Domain-Name-Server = 127.0.0.2 |
| DHCP-Subnet-Mask = 255.255.255.0 |
| DHCP-Router-Address = 192.0.2.1 |
| DHCP-IP-Address-Lease-Time = 86400 |
| DHCP-DHCP-Server-Identifier = 192.0.2.1 |
| } |
| |
| # Do a simple mapping of MAC to assigned IP. |
| # |
| # See below for the definition of the "mac2ip" |
| # module. |
| # |
| #mac2ip |
| |
| # If the MAC wasn't found in that list, do something else. |
| # You could call a Perl, Python, or Java script here. |
| |
| #if (notfound) { |
| # ... |
| #} |
| |
| # Or, allocate IPs from the DHCP pool in SQL. You may need to |
| # set the pool name here if you haven't set it elsewhere. |
| # update control { |
| # Pool-Name := "local" |
| # } |
| # dhcp_sqlippool |
| |
| # If DHCP-Message-Type is not set, returning "ok" or |
| # "updated" from this section will respond with a DHCP-Offer |
| # message. |
| # |
| # Other rcodes will tell the server to not return any response. |
| ok |
| } |
| |
| dhcp DHCP-Request { |
| |
| # Response packet type. See DHCP-Discover section above. |
| update reply { |
| DHCP-Message-Type = DHCP-Ack |
| } |
| |
| # The contents here are invented. Change them! |
| update reply { |
| DHCP-Domain-Name-Server = 127.0.0.1 |
| DHCP-Domain-Name-Server = 127.0.0.2 |
| DHCP-Subnet-Mask = 255.255.255.0 |
| DHCP-Router-Address = 192.0.2.1 |
| DHCP-IP-Address-Lease-Time = 86400 |
| DHCP-DHCP-Server-Identifier = 192.0.2.1 |
| } |
| |
| # Do a simple mapping of MAC to assigned IP. |
| # |
| # See below for the definition of the "mac2ip" |
| # module. |
| # |
| #mac2ip |
| |
| # If the MAC wasn't found in that list, do something else. |
| # You could call a Perl, Python, or Java script here. |
| |
| #if (notfound) { |
| # ... |
| #} |
| |
| # Or, allocate IPs from the DHCP pool in SQL. You may need to |
| # set the pool name here if you haven't set it elsewhere. |
| # update control { |
| # Pool-Name := "local" |
| # } |
| # dhcp_sqlippool |
| |
| # If DHCP-Message-Type is not set, returning "ok" or |
| # "updated" from this section will respond with a DHCP-Ack |
| # packet. |
| # |
| # "handled" will not return a packet, all other rcodes will |
| # send back a DHCP-NAK. |
| ok |
| } |
| |
| # |
| # Other DHCP packet types |
| # |
| # There should be a separate section for each DHCP message type. |
| # By default this configuration will ignore them all. Any packet type |
| # not defined here will be responded to with a DHCP-NAK. |
| |
| dhcp DHCP-Decline { |
| update reply { |
| DHCP-Message-Type = DHCP-Do-Not-Respond |
| } |
| reject |
| } |
| |
| dhcp DHCP-Inform { |
| update reply { |
| DHCP-Message-Type = DHCP-Do-Not-Respond |
| } |
| reject |
| } |
| |
| dhcp DHCP-Release { |
| update reply { |
| DHCP-Message-Type = DHCP-Do-Not-Respond |
| } |
| reject |
| } |
| |
| |
| } |
| |
| ###################################################################### |
| # |
| # This next section is a sample configuration for the "passwd" |
| # module, that reads flat-text files. It should go into |
| # radiusd.conf, in the "modules" section. |
| # |
| # The file is in the format <mac>,<ip> |
| # |
| # 00:01:02:03:04:05,192.0.2.100 |
| # 01:01:02:03:04:05,192.0.2.101 |
| # 02:01:02:03:04:05,192.0.2.102 |
| # |
| # This lets you perform simple static IP assignment. |
| # |
| # There is a preconfigured "mac2ip" module setup in |
| # mods-available/mac2ip. To use it do: |
| # |
| # # cd raddb/ |
| # # ln -s ../mods-available/mac2ip mods-enabled/mac2ip |
| # # mkdir mods-config/passwd |
| # |
| # Then create the file mods-config/passwd/mac2ip with the above |
| # format. |
| # |
| ###################################################################### |
| |
| |
| # This is an example only - see mods-available/mac2ip instead; do |
| # not uncomment these lines here. |
| # |
| #passwd mac2ip { |
| # filename = ${confdir}/mac2ip |
| # format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address" |
| # delimiter = "," |
| #} |