[Kea-users] Denying unknown clients?

Darren Ankney darren.ankney at gmail.com
Thu Feb 8 10:56:41 UTC 2024 

Hi,

If you set reservations for clients that you want to be granted a
lease, then you can replace  "require-client-classes": [] with
"client-class": "KNOWN" which will restrict to only "KNOWN" clients in
that subnet (see here:
https://kea.readthedocs.io/en/kea-2.4.0/arm/dhcp4-srv.html#pool-selection-with-client-class-reservations
and here: https://kea.readthedocs.io/en/kea-2.4.0/arm/classify.html#built-in-client-classes)

Thank you,
Darren Ankney

On Wed, Feb 7, 2024 at 12:36 PM L. Pavljuk <lukas.pavljuk at sh.cz> wrote:
>
> Hello,
>
> I am currently in the process of migration from the old DHCPD server
> over to Kea. So far, I have most functionality carried over, as it was
> really simple, but one thing still eludes me.
>
> DHCPD had the directive "deny unknown-clients"
>
> Can that be implemented in Kea? As I create all the leases manually,
> through Kea's ctrl daemon and the hook library libdhcp_lease_cmds,
>
> If I do encounter unknown clients, I'd rather just completely ignore them.
>
> ---
>
> I tried using the require-client-class, thinking it'd only offer an
> address from its subnet to clients who fall into the named class(es).
>
> E.g., a minimal configuration:
>
> {
>      "Dhcp4": {
>          "subnet4": [{
>                  "id": 1,
>                  "subnet": "10.1.1.0/24",
>                  "pools": [ { "pool": "10.1.1.10 - 10.1.1.128" } ],
>                  "require-client-classes": [
>                      "eligible-client"
>                  ]
>              }
>          ],
>          "client-classes": [{
>                  "name": "eligible-client",
>                  "test": "member('KNOWN')"
>              }
>          ]
>      }
> }
>
> In the logs, I can see the class being evaluated as false, yet, DHCP
> Requests still get an offer from the subnet.
>
> My best guess is that it's because the packet arrived to an interface
> from the 10.1.1.0/24 range.
>
> The behavior does not change even if I inverse the logic, create a
> second, random subnet, with the require-client-classes set to
> "unknown-clients" class, defined with a test as not being a member of
> the KNOWN class, the first subnet is still being used.
>
> Only other idea I have is to solve this issue externally, through
> iptables, filtering for known mac addresses only... Before I do, I'd
> appreciate any pointers if this was possible in Kea after all, and if
> so, then how.
>
> Platform: Linux
> Distribution: Debian 12 Bookworm
> Kea version: 2.2.0-6 (Installed from the distribution's package archives)
>
> Thank you!
> ~L. Pavljuk
>
> --
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>
> Kea-users mailing list
> Kea-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/kea-users

More information about the Kea-users mailing list