dhcp-users Digest, Vol 65, Issue 11 (lyndon villas)
lyndon villas
sox316 at gmail.com
Thu Jul 3 12:11:46 UTC 2014
Hi All,
I'm soliciting ideas on this case, as of the moment got no concrete
solution.
The idea is to authenticate DHCP client against option 61
(dhcp-client-identifier) and option 82 (agent.circuit-id).
This the required authentication flow;
1. class "ACL61+82" {
match option dhcp-client-identifier and option agent.circuit-id;
}
subclass "ACL61+82" "Option 61 + Option 82";
subnet 192.168.0.0 netmask 255.255.255.0 {
pool {
allow members "ACL61+82 values";
range 192.168.0.1 192.168.0.100;
}
}
2. class "ACL61" {
match option dhcp-client-identifier and option agent.circuit-id = null;
}
subclass "ACL61" "Option 61 values";
subnet 192.168.1.0 netmask 255.255.255.0 {
pool {
allow members "ACL61";
range 192.168.1.1 192.168.1.100;
}
}
3. class "ACL82" {
match option agent.circuit-id and option dhcp-client-identifier = null;
}
subclass "ACL82" "Option 82 values";
subnet 192.168.3.0 netmask 255.255.255.0 {
pool {
allow members "ACL82";
range 192.168.3.1 192.168.3.100;
}
}
Thank you very much.
Best Regards,
Lyndon
> Message: 5
> Date: Thu, 20 Mar 2014 16:33:32 +0800
> From: lyndon villas <sox316 at gmail.com>
> To: dhcp-users at lists.isc.org
> Subject: Re: dhcp-users Digest, Vol 65, Issue 11
> Message-ID:
> <CAFnSxQnA=
> 5dntFLGuOFCgkk5fgiqLsxjEPLWyorTueeG6oFLJQ at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> >
> > Hi Patrick,
> >
>
> Here's i want to accomplish:
>
> 1. Check if Option 61 value is in the class entry (ex.
> client-circuitid_class), If YES, then check if Circuit-id is is the
> available, if no Circuit-id please assign IP address from IP Pool.
>
> 2. If both Option 61 and Circuit-iD are present, compared it to the
> class entry (e.g client-circuitid_class). If matches the entry, please
> assign IP address from IP Pool.
>
> 3. Option 61 is not defined (null) but Circuit-id is available and can
> be found in the class entry (e.g client-circuitid_class), please assign IP
> address from IP pool.
>
> I hope this pseudocode helps.
>
> Best Regards,
> Lyndon
>
>
>
>
>
> >
> > Message: 2
> > Date: Tue, 18 Mar 2014 09:22:02 +0000
> > From: Patrick Trapp <ptrapp at nex-tech.com>
> > To: Users of ISC DHCP <dhcp-users at lists.isc.org>
> > Subject: RE: Matching client DHCP request against Option 61 and Option
> > 82 (circuit id)
> > Message-ID:
> > <
> 1D507D610594D14F86D40D77C17E9E6619E957A3 at EXCHANGEDSB.ruralnex.com
> > >
> > Content-Type: text/plain; charset="iso-8859-1"
> >
> > Off the top of my head, I'm not remembering what Option 61 is, but I have
> > a fair bit of practice with match statements. Have you worked it out yet?
> > Do you have an obfuscated example of what you are trying to accomplish in
> > pseudocode to get the conversation started?
> >
> > Something like
> >
> > If Option 82 is "circuit-id-1", do something 1. If Option 82 is
> > "circuit-id-1" and Option 61 is present, do something 2. If Option 82 is
> > "circuit-id-2" and Option 61 is "option-61-first", do something 3.
> >
> > More detail is better, especially if you have worked out part of the
> > config and we don't have to sweat that part. I'm at GMT-6, so I'm not
> sure
> > how well our schedules will mesh (it's rather early for me as I type
> this)
> > but if that's not a deterrent, let's see what we can do.
> >
> > Patrick
> >
> > ________________________________
> > From: dhcp-users-bounces+ptrapp=nex-tech.com at lists.isc.org
> [dhcp-users-bounces+ptrapp=
> > nex-tech.com at lists.isc.org] on behalf of lyndon villas [sox316 at gmail.com
> ]
> > Sent: Monday, March 17, 2014 10:27 PM
> > To: dhcp-users at lists.isc.org
> > Subject: Matching client DHCP request against Option 61 and Option 82
> > (circuit id)
> >
> > Hi All,
> >
> > I'm trying to configure my DHCP server to match client request against
> > Option 61 and Option 82 circuit-id. Client request may also contain on
> > Option 61. I'm not a programming geek, your help in creating a match
> > statement is much appreciated.
> >
> > Thanks in advance.
> >
> > --
> > Regards,
> >
> > Sox 316
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <
> >
> https://lists.isc.org/pipermail/dhcp-users/attachments/20140318/d07230f7/attachment-0001.html
> > >
> >
> > ------------------------------
> >
> > _______________________________________________
> > dhcp-users mailing list
> > dhcp-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/dhcp-users
> >
> > End of dhcp-users Digest, Vol 65, Issue 11
> > ******************************************
> >
>
>
>
> --
> Regards,
>
> Lyndon A. Villas
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://lists.isc.org/pipermail/dhcp-users/attachments/20140320/0e3e0afc/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 6
> Date: Thu, 20 Mar 2014 11:13:46 +0000
> From: Simon Hobson <dhcp1 at thehobsons.co.uk>
> To: Users of ISC DHCP <dhcp-users at lists.isc.org>
> Subject: Re: dhcp-users Digest, Vol 65, Issue 11
> Message-ID: <9187E5B9-66E2-4C4E-8C95-CDA0F264A772 at thehobsons.co.uk>
> Content-Type: text/plain; charset=iso-8859-1
>
> lyndon villas <sox316 at gmail.com> wrote:
>
> > Here's i want to accomplish:
> >
> > 1. Check if Option 61 value is in the class entry (ex.
> client-circuitid_class), If YES, then check if Circuit-id is is the
> available, if no Circuit-id please assign IP address from IP Pool.
> >
> > 2. If both Option 61 and Circuit-iD are present, compared it to the
> class entry (e.g client-circuitid_class). If matches the entry, please
> assign IP address from IP Pool.
> >
> > 3. Option 61 is not defined (null) but Circuit-id is available and
> can be found in the class entry (e.g client-circuitid_class), please assign
> IP address from IP pool.
> >
> > I hope this pseudocode helps.
>
>
> It's not clear and consistent.
>
> 1 says "If A and not B, then use A".
>
> 2 says "If A and B then use 'it'" - without specifying whether 'it' is A
> or B !
>
> 3 says "If B and not A then use B".
>
> A simpler way of writing it is "if A is present then use A, else if B is
> present then use B" (or swap A and B round depending on what 'it' is).
>
>
> You can use "pick-first-value" for this.
> If 'it' is A then use "pick-first-value(A,B)", or if 'it' is B then use
> "pick-first-value(B,A)". So your class selection becomes :
>
> match if pick-first-value(A,B)="some string"
>
>
>
> But you also don't specify what you want to match the options against. Are
> they to match against the same string (eg A or B or both would be the same
> string), or are they to comapre against different strings (in which case
> the above won't work).
>
> If you match against different strings (so the test is "A="X" or B = "Y")
> then I think you need a slightly more complicated selection.
> I'm not sure if just doing :
> match if A="X";
> match if B="Y";
> will work. If not, then you might have to do something like :
> match if (pick-first-option(A,"")="X") or (pick-first-option(B,""="Y") ;
>
> The reason for the pick-first-option clauses here is that if A or B is not
> present, then the result of comparing it with anything is unknown - and
> logical ORing unknown with anything is unknown. So the pick-first-value
> clauses ensure that if A or B is not present, it's replaced with an empty
> string so that the OR clause will work.
>
>
>
> ------------------------------
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>
> End of dhcp-users Digest, Vol 65, Issue 13
> ******************************************
>
--
Regards,
Lyndon A. Villas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20140703/d112616c/attachment.html>
More information about the dhcp-users
mailing list