[Kea-users] deny booting or ignore booting

Munroe Sollog mus3 at lehigh.edu
Fri Mar 22 13:54:32 UTC 2019


I'm going to start calling you Thomas "Scope Creep" Andersen. :) . In all
seriousness, we can talk about the value of NACs and sure there are some,
but it is clearly out of scope for lifecycling our dhcp server.

On Fri, Mar 22, 2019 at 9:06 AM Thomas Andersen <than at itu.dk> wrote:

> Hi,
>
>
>
> Installing a NAC for that purpose solely, would be overkill :)
>
> But when you have 35,000 devices, I would presume you already had some
> sort of NAC, to control/verify who’s on your network.
>
>
>
> That being 802.1x, Mac auth or CWP.
>
>
>
> We use clearpass for all network authentication, which has the option of
> blacklist mac addresses. Similar OpenSource like packetfence has the same
> featureset as ClearPass. More or less.
>
>
>
> Br,
>
> Thomas
>
>
>
> *From: *Munroe Sollog <mus3 at lehigh.edu>
> *Date: *Friday, 22 March 2019 at 13.03
> *To: *Thomas Andersen <than at itu.dk>
> *Cc: *Francis Dupont <fdupont at isc.org>, "KEA-Users (
> kea-users at lists.isc.org)" <kea-users at lists.isc.org>
> *Subject: *Re: [Kea-users] deny booting or ignore booting
>
>
>
> While I appreciate the suggestion. Installing a NAC to accomplish  similar
> functionality to one line of configuration in our DHCP server is kind of
> silly.
>
>
>
> On Fri, Mar 22, 2019 at 7:58 AM Thomas Andersen <than at itu.dk> wrote:
>
> Do you have a NAC or is it open network?
>
> I would prefer deny it when entering the network, not when asking for DHCP.
>
>
>
>
>
>
>
> Br,
>
> Thomas
>
>
>
> *From: *Kea-users <kea-users-bounces at lists.isc.org> on behalf of Munroe
> Sollog <mus3 at lehigh.edu>
> *Date: *Friday, 22 March 2019 at 12.42
> *To: *Francis Dupont <fdupont at isc.org>
> *Cc: *"KEA-Users (kea-users at lists.isc.org)" <kea-users at lists.isc.org>
> *Subject: *Re: [Kea-users] deny booting or ignore booting
>
>
>
> Perhaps random wasn't a good choice of words.  Given a MAC address we need
> a way of ensuring it does not DHCP.  I'm open to alternatives to the
> ignore/deny booting function.  Some sort of client classification?
>
>
>
> On Thu, Mar 21, 2019 at 7:43 PM Francis Dupont <fdupont at isc.org> wrote:
>
> Munroe Sollog writes:
> > isc dhcpd supports the concept of "deny booting" or "ignore booting".
> Kea
> > does not seem to support this concept.
>
> => this feature is not supported by Kea but you have other ways to get
> the same effect.
>
> > >From time to time we need to ensure that a random device does not get a
> > valid lease and is thus prevented from accessing our network (we enforce
> > DHCP at the access layer).  I found this:
>
> => as ISC DHCP booting keyword has a meaning only in a host reservation
> it is useless for a random device which by definition has no known
> identifier. Note if you want to ban unknown devices both ISC DHCP and
> Kea (since 1.5) provide a known/unknown client classification.
>
> > http://oldkea.isc.org/ticket/5229
>
> => replaced by https://gitlab.isc.org/isc-projects/kea/issues/239
>
> This ticket is a migration ticket: all features of ISC DHCP were
> analyzed:
>  - some can be translated (*) to Kea
>  - some are candidate to be added to Kea
>  - some have low interest (too specific, obsolete or unused, etc) (**)
> (*) There is a piece of software named the Migration Assistant which
> helps to translate ISC DHCP configurations to Kea. It is still in
> development but as we are looking for config samples to test and
> improve it you can contact us to know more...
> (**) #239 enters in the last category (priority low), the MA code emits
> a "no concrete usage known?" message when it finds the booting keyword.
>
> > I'm not sure what to make of this, but I tried creating a host
> reservation
> > without an IP address and kea errors with:
> >
> > specified reservation for DUID: hwtype=1 00:50:56:bf:d7:a5 must include
> at
> > least one resource, i.e. hostname, IPv4 address, IPv6 address/prefix,
> > options
>
> => yes if you have no address (nor prefix in IPv6) you need a hostname.
> Note here a host reservation is perhaps not the best feature: what you
> want is some kind of access list and for a negative access list a client
> class is better. Host reservations and KNOWN/UNKNOWN are faster for
> a positive (and large) access list.
>
> Regards
>
> Francis Dupont <fdupont at isc.org>
>
>
>
>
> --
>
> Munroe Sollog
>
> Senior Network Engineer
>
> munroe at lehigh.edu
>
> --
>
> Munroe Sollog
>
> Senior Network Engineer
>
> munroe at lehigh.edu
>


-- 
Munroe Sollog
Senior Network Engineer
munroe at lehigh.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20190322/05ec4cdd/attachment.htm>


More information about the Kea-users mailing list