DHCP with RADIUS MAC Authentication

Julien TURELLO jturello at numeo.fr
Mon Nov 30 16:17:31 UTC 2009

Thank you for your responses.

I know MAC addresses can easily be spoofed, but the goal is especially to
have a uniform platform, technology independent, for authentication and

Now we have customers connected on many technologies, authenticating and
accounting on one RADIUS server, and we don't want to complicate this
architecture again...

The security is not so important for us with the DHCP, because the
technologies behind are especially 5ghz Alvarion Wireless, which is yet
secured (SSID, WPA encryption, proprietary wireless protocol...).

Many of our IT is based on our RADIUS server (billing, automatically
add/delete or enable/disable users, volume using statistics, etc.), so It
would save us a lot of time using the same architecture...  And another
important thing is the capability to keep a trace IP Adresses for possible
Police needs (very often!).

I've got Cisco routers and Mikrotik routers which can do that, but I don't
know how to manage Shared Network in the Cisco DHCP server, and in the
Mikrotik one there is no RADIUS accounting, just authentication...

I know that some linux/unix commercial appliance can do DHCP with RADIUS MAC
authentication, so maybe a radius client compatible with ISC dhcp exists? 


-----Message d'origine-----
De : dhcp-users-bounces at lists.isc.org
[mailto:dhcp-users-bounces at lists.isc.org] De la part de John Hascall
Envoyé : vendredi 27 novembre 2009 20:39
À : Users of ISC DHCP
Objet : Re: DHCP with RADIUS MAC Authentication 

| We are an ISP providing access on many technologies (WiFi, Wimax, xDSL,
| FTTH...). 
| In most cases we use PPPoE servers, but we have recently migrated some of
| our networks on an ISC DHCP server.
| Everything works great but I have to authenticate each CPE by MAC Address
| alreadyhave a RADIUS server working well) before offering a lease.
| I don't find any radius client for RedHat, CentOs or Fedora which could be
| able to do that...
| Is there any way to make this working?
| Julien TURELLO

> DHCP is not an authentication mechanism, as the MAC address can easily be
> spoofed.  But if you're looking to hand out addresses to just those with
> certain MAC addresses (as presented, unverified, to your DHCP server), you
> can use no "host" statements along with a "deny unknown".
> Frank

I believe the OP is asking about something like this:
   (the last one is the latest version)
but I have no idea what its current status is, and it certainly
isn't in any ISC DHCPD that I'm aware of.

John Hascall, john at iastate.edu
Team Lead, NIADS (Network Infrastructure, Authentication & Directory
IT Services, The Iowa State University of Science and Technology

dhcp-users mailing list
dhcp-users at lists.isc.org

More information about the dhcp-users mailing list