[DHCP] RE: Determining request

[Glenn Satchell]

>Date: Tue, 05 Jan 2010 20:37:58 -0700
>From: "Ashley M. Kirchner" <ashley at pcraft.com>
>
>Glenn Satchell wrote:
>> If you wanted to keep it real low-tech you could even add another NIC
>> to the Fedora box, a small hub or switch and plug the WAPs into that.
>> Then use a different IP address range for that.
>>   
>    No, they need to remain in the same subnet as everything else.  All 
>I want to do is to not allow unknown *wired* devices automatically 
>getting shoved into the wireless pool because it does allow unknown 
>devices.  That's what DHCPd is doing right now.
>
>    A

Ok, that makes it a lot harder.

You need a way to distinguish the wireless clients from wired clients.
As far as dhcpd is concerned, they all look like some client out on
your network requesting an address. There's no magic flag that says
ethernet or wireless in the dhcp packets, and even if there was the
client could fake it if they tried hard enough.

Using a different subnet is one way to do it easily ("requests from
this subnet are wired, and this subnet are wireless"), but if they must
stay on the same subnet then you need another way to differentiate
them.

Off the top of my head there are a couple of possibilities:

Use the vendor part of the mac address (first three octets). This
requires knowing in advance all the likely wireless client vendors you
will be dealing with (ie, this is pretty hard and not always accurate -
you could miss some) and requires work to keep it up to date.

Setup a relay agent on either the switch or WAP and get it to add
agent.circuit-id option (the so-called option-82 settings). Then use
the option value to put them in a class which you allow in the wireless
pool, and deny in the wired pool.

class "wireless" {
  match if option agent.circuit-id = "some value";
}

There may be other ideas I haven't thought of.

regards,
-glenn