DHCP Authentication

Marco Amadori amadorim at vdavda.com
Wed Jul 2 13:54:23 UTC 2008


On Wednesday 02 July 2008, 10:17:31, Simon Hobson wrote:

> Thinking some more about this, I don't think it's going to be easy to
> achieve what you want without some interaction/help from the people
> who run the host network.

That is for sure, just we need to ask as few as possible.

> You can't just fire up another DHCP server without upsetting the rest
> of the network. You can't use different ports without getting support
> from the routers.

I know we are allowed to fire up our server, I'm trying to ask them how much 
things we could do in our clients.

> IFF you can get the requisite support from the admins of the existing
> DHCP server, this is what I think your best bet is going to be :

> 1) Find something unique to your devices that you can identify them
> by. Worst case is to use a MAC list, but that gives ongoing
> management issues. If you could set a specific option (or vendor
> encapsulated option space) on your clients AND the host DHCP server
> can be configured to ignore clients that have this set then you have
> cracked the hardest part.

We can set a specific option both on our clients and our servers, our boards 
and server are in our complete control even on operating system details.

> 2) You get the host DHCP server configured to ignore your clients.

This probably is too much.

> 3) You configure your new DHCP server to ignore all but your clients.

This is already done, although the identification is loose as you saw in my 
previous mail where I show a snippet of dhcpd.conf.

> If 2 is not possible, then it gets harder, and you'll have to look at
> configuring/hacking the client to ignore offers from a server that
> doesn't include some specific option.

Yes, I had this in my mind too, I did not found how to ignore a DHCP server 
which does not have this option set. (*)

> Not too dissimilar to what you started off asking for, but without
> requiring RFC<whatever) authentication support !

I'll always look forward for the complete solution while developing the basic 
one.

> So I suppose the next question for those familiar with the ISC client
> is : how hard would it be to configure it to ignore offers that don't
> include a certain option or vendor option space ?

You right: (*) ?

-- 
ESC:wq

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the dhcp-users mailing list