<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div>Hi All,</div><div><br></div><div>I'm soliciting ideas on this case, as of the moment got no concrete solution.</div><div>The idea is to authenticate DHCP client against option 61 (dhcp-client-identifier) and option 82 (agent.circuit-id). </div>
<div><br></div><div>This the required authentication flow;</div><div><br></div><div>1. class "ACL61+82" {</div><div> match option dhcp-client-identifier and option agent.circuit-id; </div><div> }</div><div>
</div><div> subclass "ACL61+82" "Option 61 + Option 82"; </div><div> </div><div> subnet 192.168.0.0 netmask 255.255.255.0 {</div><div> </div><div> pool {</div><div> allow members "ACL61+82 values"; </div>
<div> range 192.168.0.1 192.168.0.100;</div><div> }</div><div> }</div><div><br></div><div>2. class "ACL61" {</div><div> match option dhcp-client-identifier and option agent.circuit-id = null; </div><div>
}</div><div> </div><div> subclass "ACL61" "Option 61 values"; </div><div> </div><div> subnet 192.168.1.0 netmask 255.255.255.0 {</div><div> </div><div> pool {</div><div> allow members "ACL61";</div>
<div> range 192.168.1.1 192.168.1.100;</div><div> }</div><div> }</div><div><br></div><div>3. class "ACL82" {</div><div> match option agent.circuit-id and option dhcp-client-identifier = null; </div><div>
}</div><div> </div><div> subclass "ACL82" "Option 82 values"; </div><div> </div><div> subnet 192.168.3.0 netmask 255.255.255.0 {</div><div> </div><div> pool {</div><div> allow members "ACL82";</div>
<div> range 192.168.3.1 192.168.3.100;</div><div> }</div><div> }</div><div><br></div><div><br></div><div>Thank you very much.</div><div><br></div><div>Best Regards,<br>Lyndon</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Message: 5<br>
Date: Thu, 20 Mar 2014 16:33:32 +0800<br>
From: lyndon villas <<a href="mailto:sox316@gmail.com">sox316@gmail.com</a>><br>
To: <a href="mailto:dhcp-users@lists.isc.org">dhcp-users@lists.isc.org</a><br>
Subject: Re: dhcp-users Digest, Vol 65, Issue 11<br>
Message-ID:<br>
<CAFnSxQnA=<a href="mailto:5dntFLGuOFCgkk5fgiqLsxjEPLWyorTueeG6oFLJQ@mail.gmail.com">5dntFLGuOFCgkk5fgiqLsxjEPLWyorTueeG6oFLJQ@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
><br>
> Hi Patrick,<br>
><br>
<br>
Here's i want to accomplish:<br>
<br>
1. Check if Option 61 value is in the class entry (ex.<br>
client-circuitid_class), If YES, then check if Circuit-id is is the<br>
available, if no Circuit-id please assign IP address from IP Pool.<br>
<br>
2. If both Option 61 and Circuit-iD are present, compared it to the<br>
class entry (e.g client-circuitid_class). If matches the entry, please<br>
assign IP address from IP Pool.<br>
<br>
3. Option 61 is not defined (null) but Circuit-id is available and can<br>
be found in the class entry (e.g client-circuitid_class), please assign IP<br>
address from IP pool.<br>
<br>
I hope this pseudocode helps.<br>
<br>
Best Regards,<br>
Lyndon<br>
<br>
<br>
<br>
<br>
<br>
><br>
> Message: 2<br>
> Date: Tue, 18 Mar 2014 09:22:02 +0000<br>
> From: Patrick Trapp <<a href="mailto:ptrapp@nex-tech.com">ptrapp@nex-tech.com</a>><br>
> To: Users of ISC DHCP <<a href="mailto:dhcp-users@lists.isc.org">dhcp-users@lists.isc.org</a>><br>
> Subject: RE: Matching client DHCP request against Option 61 and Option<br>
> 82 (circuit id)<br>
> Message-ID:<br>
> <<a href="mailto:1D507D610594D14F86D40D77C17E9E6619E957A3@EXCHANGEDSB.ruralnex.com">1D507D610594D14F86D40D77C17E9E6619E957A3@EXCHANGEDSB.ruralnex.com</a><br>
> ><br>
> Content-Type: text/plain; charset="iso-8859-1"<br>
><br>
> Off the top of my head, I'm not remembering what Option 61 is, but I have<br>
> a fair bit of practice with match statements. Have you worked it out yet?<br>
> Do you have an obfuscated example of what you are trying to accomplish in<br>
> pseudocode to get the conversation started?<br>
><br>
> Something like<br>
><br>
> If Option 82 is "circuit-id-1", do something 1. If Option 82 is<br>
> "circuit-id-1" and Option 61 is present, do something 2. If Option 82 is<br>
> "circuit-id-2" and Option 61 is "option-61-first", do something 3.<br>
><br>
> More detail is better, especially if you have worked out part of the<br>
> config and we don't have to sweat that part. I'm at GMT-6, so I'm not sure<br>
> how well our schedules will mesh (it's rather early for me as I type this)<br>
> but if that's not a deterrent, let's see what we can do.<br>
><br>
> Patrick<br>
><br>
> ________________________________<br>
> From: dhcp-users-bounces+ptrapp=<a href="mailto:nex-tech.com@lists.isc.org">nex-tech.com@lists.isc.org</a>[dhcp-users-bounces+ptrapp=<br>
> <a href="mailto:nex-tech.com@lists.isc.org">nex-tech.com@lists.isc.org</a>] on behalf of lyndon villas [<a href="mailto:sox316@gmail.com">sox316@gmail.com</a>]<br>
> Sent: Monday, March 17, 2014 10:27 PM<br>
> To: <a href="mailto:dhcp-users@lists.isc.org">dhcp-users@lists.isc.org</a><br>
> Subject: Matching client DHCP request against Option 61 and Option 82<br>
> (circuit id)<br>
><br>
> Hi All,<br>
><br>
> I'm trying to configure my DHCP server to match client request against<br>
> Option 61 and Option 82 circuit-id. Client request may also contain on<br>
> Option 61. I'm not a programming geek, your help in creating a match<br>
> statement is much appreciated.<br>
><br>
> Thanks in advance.<br>
><br>
> --<br>
> Regards,<br>
><br>
> Sox 316<br>
> -------------- next part --------------<br>
> An HTML attachment was scrubbed...<br>
> URL: <<br>
> <a href="https://lists.isc.org/pipermail/dhcp-users/attachments/20140318/d07230f7/attachment-0001.html" target="_blank">https://lists.isc.org/pipermail/dhcp-users/attachments/20140318/d07230f7/attachment-0001.html</a><br>
> ><br>
><br>
> ------------------------------<br>
><br>
> _______________________________________________<br>
> dhcp-users mailing list<br>
> <a href="mailto:dhcp-users@lists.isc.org">dhcp-users@lists.isc.org</a><br>
> <a href="https://lists.isc.org/mailman/listinfo/dhcp-users" target="_blank">https://lists.isc.org/mailman/listinfo/dhcp-users</a><br>
><br>
> End of dhcp-users Digest, Vol 65, Issue 11<br>
> ******************************************<br>
><br>
<br>
<br>
<br>
--<br>
Regards,<br>
<br>
Lyndon A. Villas<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="https://lists.isc.org/pipermail/dhcp-users/attachments/20140320/0e3e0afc/attachment-0001.html" target="_blank">https://lists.isc.org/pipermail/dhcp-users/attachments/20140320/0e3e0afc/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 6<br>
Date: Thu, 20 Mar 2014 11:13:46 +0000<br>
From: Simon Hobson <<a href="mailto:dhcp1@thehobsons.co.uk">dhcp1@thehobsons.co.uk</a>><br>
To: Users of ISC DHCP <<a href="mailto:dhcp-users@lists.isc.org">dhcp-users@lists.isc.org</a>><br>
Subject: Re: dhcp-users Digest, Vol 65, Issue 11<br>
Message-ID: <<a href="mailto:9187E5B9-66E2-4C4E-8C95-CDA0F264A772@thehobsons.co.uk">9187E5B9-66E2-4C4E-8C95-CDA0F264A772@thehobsons.co.uk</a>><br>
Content-Type: text/plain; charset=iso-8859-1<br>
<br>
lyndon villas <<a href="mailto:sox316@gmail.com">sox316@gmail.com</a>> wrote:<br>
<br>
> Here's i want to accomplish:<br>
><br>
> 1. Check if Option 61 value is in the class entry (ex. client-circuitid_class), If YES, then check if Circuit-id is is the available, if no Circuit-id please assign IP address from IP Pool.<br>
><br>
> 2. If both Option 61 and Circuit-iD are present, compared it to the class entry (e.g client-circuitid_class). If matches the entry, please assign IP address from IP Pool.<br>
><br>
> 3. Option 61 is not defined (null) but Circuit-id is available and can be found in the class entry (e.g client-circuitid_class), please assign IP address from IP pool.<br>
><br>
> I hope this pseudocode helps.<br>
<br>
<br>
It's not clear and consistent.<br>
<br>
1 says "If A and not B, then use A".<br>
<br>
2 says "If A and B then use 'it'" - without specifying whether 'it' is A or B !<br>
<br>
3 says "If B and not A then use B".<br>
<br>
A simpler way of writing it is "if A is present then use A, else if B is present then use B" (or swap A and B round depending on what 'it' is).<br>
<br>
<br>
You can use "pick-first-value" for this.<br>
If 'it' is A then use "pick-first-value(A,B)", or if 'it' is B then use "pick-first-value(B,A)". So your class selection becomes :<br>
<br>
match if pick-first-value(A,B)="some string"<br>
<br>
<br>
<br>
But you also don't specify what you want to match the options against. Are they to match against the same string (eg A or B or both would be the same string), or are they to comapre against different strings (in which case the above won't work).<br>
<br>
If you match against different strings (so the test is "A="X" or B = "Y") then I think you need a slightly more complicated selection.<br>
I'm not sure if just doing :<br>
match if A="X";<br>
match if B="Y";<br>
will work. If not, then you might have to do something like :<br>
match if (pick-first-option(A,"")="X") or (pick-first-option(B,""="Y") ;<br>
<br>
The reason for the pick-first-option clauses here is that if A or B is not present, then the result of comparing it with anything is unknown - and logical ORing unknown with anything is unknown. So the pick-first-value clauses ensure that if A or B is not present, it's replaced with an empty string so that the OR clause will work.<br>
<br>
<br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
dhcp-users mailing list<br>
<a href="mailto:dhcp-users@lists.isc.org">dhcp-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/dhcp-users" target="_blank">https://lists.isc.org/mailman/listinfo/dhcp-users</a><br>
<br>
End of dhcp-users Digest, Vol 65, Issue 13<br>
******************************************<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Regards,<br><br>Lyndon A. Villas
</div></div>