Chetan Gaonker | 7f4bf74 | 2016-05-04 15:56:08 -0700 | [diff] [blame] | 1 | # -*- text -*- |
| 2 | ###################################################################### |
| 3 | # |
| 4 | # This is a virtual server that handles DHCP. |
| 5 | # |
| 6 | # $Id: 170e2b191af7184b519d3594fa99476c857dfda5 $ |
| 7 | # |
| 8 | ###################################################################### |
| 9 | |
| 10 | # |
| 11 | # The DHCP functionality goes into a virtual server. |
| 12 | # |
| 13 | server dhcp { |
| 14 | |
| 15 | # Define a DHCP socket. |
| 16 | # |
| 17 | # The default port below is 6700, so you don't break your network. |
| 18 | # If you want it to do real DHCP, change this to 67, and good luck! |
| 19 | # |
| 20 | # You can also bind the DHCP socket to an interface. |
| 21 | # See below, and raddb/radiusd.conf for examples. |
| 22 | # |
| 23 | # This lets you run *one* DHCP server instance and have it listen on |
| 24 | # multiple interfaces, each with a separate policy. |
| 25 | # |
| 26 | # If you have multiple interfaces, it is a good idea to bind the |
| 27 | # listen section to an interface. You will also need one listen |
| 28 | # section per interface. |
| 29 | # |
| 30 | # FreeBSD does *not* support binding sockets to interfaces. Therefore, |
| 31 | # if you have multiple interfaces, broadcasts may go out of the wrong |
| 32 | # one, or even all interfaces. The solution is to use the "setfib" command. |
| 33 | # If you have a network "10.10.0/24" on LAN1, you will need to do: |
| 34 | # |
| 35 | # Pick any IP on the 10.10.0/24 network |
| 36 | # $ setfib 1 route add default 10.10.0.1 |
| 37 | # |
| 38 | # Edit /etc/rc.local, and add a line: |
| 39 | # setfib 1 /path/to/radiusd |
| 40 | # |
| 41 | # The kern must be built with the following options: |
| 42 | # options ROUTETABLES=2 |
| 43 | # or any value larger than 2. |
| 44 | # |
| 45 | # The other only solution is to update FreeRADIUS to use BPF sockets. |
| 46 | # |
| 47 | listen { |
| 48 | # This is a dhcp socket. |
| 49 | type = dhcp |
| 50 | |
| 51 | # IP address to listen on. Will usually be the IP of the |
| 52 | # interface, or 0.0.0.0 |
| 53 | ipaddr = 127.0.0.1 |
| 54 | |
| 55 | # source IP address for unicast packets sent by the |
| 56 | # DHCP server. |
| 57 | # |
| 58 | # The source IP for unicast packets is chosen from the first |
| 59 | # one of the following items which returns a valid IP |
| 60 | # address: |
| 61 | # |
| 62 | # src_ipaddr |
| 63 | # ipaddr |
| 64 | # reply:DHCP-Server-IP-Address |
| 65 | # reply:DHCP-DHCP-Server-Identifier |
| 66 | # |
| 67 | src_ipaddr = 127.0.0.1 |
| 68 | |
| 69 | # The port should be 67 for a production network. Don't set |
| 70 | # it to 67 on a production network unless you really know |
| 71 | # what you're doing. Even if nothing is configured below, the |
| 72 | # server may still NAK legitimate responses from clients. |
| 73 | port = 6700 |
| 74 | |
| 75 | # Interface name we are listening on. See comments above. |
| 76 | # interface = lo0 |
| 77 | |
| 78 | # The DHCP server defaults to allowing broadcast packets. |
| 79 | # Set this to "no" only when the server receives *all* packets |
| 80 | # from a relay agent. i.e. when *no* clients are on the same |
| 81 | # LAN as the DHCP server. |
| 82 | # |
| 83 | # It's set to "no" here for testing. It will usually want to |
| 84 | # be "yes" in production, unless you are only dealing with |
| 85 | # relayed packets. |
| 86 | broadcast = no |
| 87 | |
| 88 | # On Linux if you're running the server as non-root, you |
| 89 | # will need to do: |
| 90 | # |
| 91 | # sudo setcap cap_net_admin=ei /path/to/radiusd |
| 92 | # |
| 93 | # This will allow the server to set ARP table entries |
| 94 | # for newly allocated IPs |
| 95 | } |
| 96 | |
| 97 | # Packets received on the socket will be processed through one |
| 98 | # of the following sections, named after the DHCP packet type. |
| 99 | # See dictionary.dhcp for the packet types. |
| 100 | |
| 101 | # Return packets will be sent to, in preference order: |
| 102 | # DHCP-Gateway-IP-Address |
| 103 | # DHCP-Client-IP-Address |
| 104 | # DHCP-Your-IP-Address |
| 105 | # At least one of these attributes should be set at the end of each |
| 106 | # section for a response to be sent. |
| 107 | |
| 108 | dhcp DHCP-Discover { |
| 109 | |
| 110 | # Set the type of packet to send in reply. |
| 111 | # |
| 112 | # The server will look at the DHCP-Message-Type attribute to |
| 113 | # determine which type of packet to send in reply. Common |
| 114 | # values would be DHCP-Offer, DHCP-Ack or DHCP-NAK. See |
| 115 | # dictionary.dhcp for all the possible values. |
| 116 | # |
| 117 | # DHCP-Do-Not-Respond can be used to tell the server to not |
| 118 | # respond. |
| 119 | # |
| 120 | # In the event that DHCP-Message-Type is not set then the |
| 121 | # server will fall back to determining the type of reply |
| 122 | # based on the rcode of this section. |
| 123 | |
| 124 | update reply { |
| 125 | DHCP-Message-Type = DHCP-Offer |
| 126 | } |
| 127 | |
| 128 | # The contents here are invented. Change them! |
| 129 | update reply { |
| 130 | DHCP-Domain-Name-Server = 127.0.0.1 |
| 131 | DHCP-Domain-Name-Server = 127.0.0.2 |
| 132 | DHCP-Subnet-Mask = 255.255.255.0 |
| 133 | DHCP-Router-Address = 192.0.2.1 |
| 134 | DHCP-IP-Address-Lease-Time = 86400 |
| 135 | DHCP-DHCP-Server-Identifier = 192.0.2.1 |
| 136 | } |
| 137 | |
| 138 | # Do a simple mapping of MAC to assigned IP. |
| 139 | # |
| 140 | # See below for the definition of the "mac2ip" |
| 141 | # module. |
| 142 | # |
| 143 | #mac2ip |
| 144 | |
| 145 | # If the MAC wasn't found in that list, do something else. |
| 146 | # You could call a Perl, Python, or Java script here. |
| 147 | |
| 148 | #if (notfound) { |
| 149 | # ... |
| 150 | #} |
| 151 | |
| 152 | # Or, allocate IPs from the DHCP pool in SQL. You may need to |
| 153 | # set the pool name here if you haven't set it elsewhere. |
| 154 | # update control { |
| 155 | # Pool-Name := "local" |
| 156 | # } |
| 157 | # dhcp_sqlippool |
| 158 | |
| 159 | # If DHCP-Message-Type is not set, returning "ok" or |
| 160 | # "updated" from this section will respond with a DHCP-Offer |
| 161 | # message. |
| 162 | # |
| 163 | # Other rcodes will tell the server to not return any response. |
| 164 | ok |
| 165 | } |
| 166 | |
| 167 | dhcp DHCP-Request { |
| 168 | |
| 169 | # Response packet type. See DHCP-Discover section above. |
| 170 | update reply { |
| 171 | DHCP-Message-Type = DHCP-Ack |
| 172 | } |
| 173 | |
| 174 | # The contents here are invented. Change them! |
| 175 | update reply { |
| 176 | DHCP-Domain-Name-Server = 127.0.0.1 |
| 177 | DHCP-Domain-Name-Server = 127.0.0.2 |
| 178 | DHCP-Subnet-Mask = 255.255.255.0 |
| 179 | DHCP-Router-Address = 192.0.2.1 |
| 180 | DHCP-IP-Address-Lease-Time = 86400 |
| 181 | DHCP-DHCP-Server-Identifier = 192.0.2.1 |
| 182 | } |
| 183 | |
| 184 | # Do a simple mapping of MAC to assigned IP. |
| 185 | # |
| 186 | # See below for the definition of the "mac2ip" |
| 187 | # module. |
| 188 | # |
| 189 | #mac2ip |
| 190 | |
| 191 | # If the MAC wasn't found in that list, do something else. |
| 192 | # You could call a Perl, Python, or Java script here. |
| 193 | |
| 194 | #if (notfound) { |
| 195 | # ... |
| 196 | #} |
| 197 | |
| 198 | # Or, allocate IPs from the DHCP pool in SQL. You may need to |
| 199 | # set the pool name here if you haven't set it elsewhere. |
| 200 | # update control { |
| 201 | # Pool-Name := "local" |
| 202 | # } |
| 203 | # dhcp_sqlippool |
| 204 | |
| 205 | # If DHCP-Message-Type is not set, returning "ok" or |
| 206 | # "updated" from this section will respond with a DHCP-Ack |
| 207 | # packet. |
| 208 | # |
| 209 | # "handled" will not return a packet, all other rcodes will |
| 210 | # send back a DHCP-NAK. |
| 211 | ok |
| 212 | } |
| 213 | |
| 214 | # |
| 215 | # Other DHCP packet types |
| 216 | # |
| 217 | # There should be a separate section for each DHCP message type. |
| 218 | # By default this configuration will ignore them all. Any packet type |
| 219 | # not defined here will be responded to with a DHCP-NAK. |
| 220 | |
| 221 | dhcp DHCP-Decline { |
| 222 | update reply { |
| 223 | DHCP-Message-Type = DHCP-Do-Not-Respond |
| 224 | } |
| 225 | reject |
| 226 | } |
| 227 | |
| 228 | dhcp DHCP-Inform { |
| 229 | update reply { |
| 230 | DHCP-Message-Type = DHCP-Do-Not-Respond |
| 231 | } |
| 232 | reject |
| 233 | } |
| 234 | |
| 235 | dhcp DHCP-Release { |
| 236 | update reply { |
| 237 | DHCP-Message-Type = DHCP-Do-Not-Respond |
| 238 | } |
| 239 | reject |
| 240 | } |
| 241 | |
| 242 | |
| 243 | } |
| 244 | |
| 245 | ###################################################################### |
| 246 | # |
| 247 | # This next section is a sample configuration for the "passwd" |
| 248 | # module, that reads flat-text files. It should go into |
| 249 | # radiusd.conf, in the "modules" section. |
| 250 | # |
| 251 | # The file is in the format <mac>,<ip> |
| 252 | # |
| 253 | # 00:01:02:03:04:05,192.0.2.100 |
| 254 | # 01:01:02:03:04:05,192.0.2.101 |
| 255 | # 02:01:02:03:04:05,192.0.2.102 |
| 256 | # |
| 257 | # This lets you perform simple static IP assignment. |
| 258 | # |
| 259 | # There is a preconfigured "mac2ip" module setup in |
| 260 | # mods-available/mac2ip. To use it do: |
| 261 | # |
| 262 | # # cd raddb/ |
| 263 | # # ln -s ../mods-available/mac2ip mods-enabled/mac2ip |
| 264 | # # mkdir mods-config/passwd |
| 265 | # |
| 266 | # Then create the file mods-config/passwd/mac2ip with the above |
| 267 | # format. |
| 268 | # |
| 269 | ###################################################################### |
| 270 | |
| 271 | |
| 272 | # This is an example only - see mods-available/mac2ip instead; do |
| 273 | # not uncomment these lines here. |
| 274 | # |
| 275 | #passwd mac2ip { |
| 276 | # filename = ${confdir}/mac2ip |
| 277 | # format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address" |
| 278 | # delimiter = "," |
| 279 | #} |