[Kea-users] Implementing Radius authentication through hooks

Mon Aug 7 06:53:06 UTC 2017

Hi,

We need Radius-based authentication based on the MAC address of the
client.  That is, given the MAC address of a DHCPv4/v6 client, we want to
hand out a pre-defined IPv4 address and IPv6 prefix.  If the client MAC is
not registered in Radius, it should get no IP address.

I started implementing this using the hooks system, but there is no
practical hook point I can use.  I am currently using the "lease_select"
hook point, basically doing this:

- if the client MAC exists in radius, overwrite the IP address in the
  existing lease passed by Kea to the callout;
- if the client MAC is unknown, set status to NEXT_STEP_SKIP.

The problem is that this happens *after* Kea has already selected a lease
in the pool.  So, it first needs a pool in the Kea configuration file
(which I don't need).  Also, for each client, Kea uses up one address of
the pool even though I subsequently overwrite the address of the lease.

For instance, the first client initially gets IPv4 address X.1, and I
overwrite it with address X.189.  Then, the second client initially gets
IPv4 address X.2, and I overwrite it with address X.77.  And so on: I'm
not sure what happens when the pool is exhausted.

Here is a log of address allocation showing what happens when the callout
overwrites the IPv4 address of a lease:

2017-08-02 20:14:13.342 DEBUG [kea-dhcp4.alloc-engine/1941] ALLOC_ENGINE_V4_OFFER_NEW_LEASE allocation engine will try to offer new lease to the client [hwtype=1 96:ecf8:ac:d8:bd], cid=[ff:f8:ac:d8:bd:00:01:00:01:19:8e:03:b5:7c:dd:90:30:f4:2f], tid=0x62eebb95
2017-08-02 20:14:13.342 DEBUG [kea-dhcp4.hosts/1941] HOSTS_CFG_GET_ONE_SUBNET_ID_ADDRESS4 get one host with reservation for subnet id 1 and IPv4 address X.X.X.2
2017-08-02 20:14:13.342 DEBUG [kea-dhcp4.hosts/1941] HOSTS_CFG_GET_ALL_ADDRESS4 get all hosts with reservations for IPv4 address X.X.X.2
2017-08-02 20:14:13.342 DEBUG [kea-dhcp4.hosts/1941] HOSTS_CFG_GET_ALL_ADDRESS4_COUNT using address X.X.X.2, found 0 host(s)
2017-08-02 20:14:13.342 DEBUG [kea-dhcp4.hosts/1941] HOSTS_CFG_GET_ONE_SUBNET_ID_ADDRESS4_NULL host not found using subnet id 1 and address X.X.X.2
2017-08-02 20:14:13.342 DEBUG [kea-dhcp4.dhcpsrv/1941] DHCPSRV_MEMFILE_GET_ADDR4 obtaining IPv4 lease for address X.X.X.2
2017-08-02 20:14:13.343 DEBUG [kea-dhcp4.callouts/1941] HOOKS_CALLOUTS_BEGIN begin all callouts for hook lease4_select
lease4_select: starting.
lease4_select: Client IP address: X.X.X.77
2017-08-02 20:14:13.343 DEBUG [kea-dhcp4.callouts/1941] HOOKS_CALLOUT_CALLED hooks library with index 1 has called a callout on hook lease4_select that has address 0x7fa3f9ce393 (callout duration: 0.081 ms)
2017-08-02 20:14:13.343 DEBUG [kea-dhcp4.callouts/1941] HOOKS_CALLOUTS_COMPLETE completed callouts for hook lease4_select (total callouts duration: 0.081 ms)
2017-08-02 20:14:13.343 DEBUG [kea-dhcp4.dhcpsrv/1941] DHCPSRV_MEMFILE_GET_ADDR4 obtaining IPv4 lease for address X.X.X.2
2017-08-02 20:14:13.343 INFO  [kea-dhcp4.leases/1941] DHCP4_LEASE_ADVERT [hwtype=1 96:ec:f8:ac:d8:bd], cid=[ff:f8:ac:d8:bd:00:01:00:01:19:8e:03:b5:7c:dd:90:30:f4:2f], tid=0x62eebb95: lease X.X.X.77 will be advertised

Fundamentally, this use-case differs from the user_chk example: user_chk
selects a subnet and lets Kea perform the lease allocation, while we want
to perform the lease allocation ourselves in the callout.

So, what about adding a hook point just before address allocation?  If the
callout returns an address (or IPv6 prefix), check that there is no active
lease that conflicts and just use it.  Otherwise, use the normal
allocation strategy.

Thanks and sorry for the long email,
Baptiste
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20170807/7381e80f/attachment.bin>