Active Session Management via OMAPI

Randall C Grimshaw rgrimsha at syr.edu
Tue Jul 20 23:10:23 UTC 2010 

You will find that the dhcp server also makes a very good session watchdog for firewall garbage collection.
Unfortunately there has been a persistent memory leak in OMAPI which necessitated a piece of middleware. The middleware simplly maintained a persistent connection to OMAPI and subsequently provided some additional logging functionality. In this design it is not difficult to pull a list of users from the firewall and query them individually in DHCP (IP and Mac associations)..We used the DHCP assigned address and assigned QOS to the IP/MAC in the firewall. There is a bit more to describe in the firewall if you continue.
We also implemented a high availability cluster configuration that would re-arp the gateway address to the failover and instantly re-build the firewall rules from the session log. Each of the clustered machines ran one of the dhcp failover servers. Our weakest link was the clustering software itself as the gateway was very reliable. hopefully it has matured by now. We have just retired the application because we have been very successful in implementing an 802.1x network that uses Impulse Safe Connect for continuous assessment. Compliance checking in what remained as a guest portal was deprecated. Concerned with the lack of developers my manager replaced the remaining guest access functionality with blue_socket  who was willing to implement a required feature. 

Randall Grimshaw rgrimsha at syr.edu

________________________________________
From: dhcp-users-bounces+rgrimsha=syr.edu at lists.isc.org [dhcp-users-bounces+rgrimsha=syr.edu at lists.isc.org] On Behalf Of Bryan Cheng [bcheng at rescomp.berkeley.edu]
Sent: Tuesday, July 20, 2010 5:06 PM
To: dhcp-users at lists.isc.org
Subject: Active Session Management via OMAPI

Hi,

We're a small team working at the University of California, Berkeley on an
implementation of our open-source network access control software designed
to regulate our wireless network and our in-room connections.

We are investigating replacing our current (filesystem-based) session store
system with the ISC dhcp server. In this setup, a pair of dhcp servers in a
failover configuration communicate with perl scripts running on our captive
portals. While the dhcp servers do not actively grant leases to our clients,
we use the information contained in the return dhcp packet in order to
determine which ip address to allocate to a given client. This allows us to
take advantage of features in the dhcp server, such as failover, session
management, ip address allocation, and omapi, for the purposes of
facilitating a high-availability configuration for our captive portals.

However, the version of the dhcp server that we run (3.1) does not support
recovering a list of all active sessions over omapi. Examining the release
notes for later versions does not seem to indicate that this support was
added. Are there plans to include support for this in later revisions of the
omapi implementation?

Additionally, we were wondering what methods, if any, others have used in
order to obtain a complete list of all active leases on a given dhcp server.

Thanks,

Bryan Cheng

More information about the dhcp-users mailing list