Hi, is anyone using DHCP in their production network ?
We are tuning Option 82 feature of Radius right now, please provide feedback if you need it guys.
The Option 82 usage :
First scenario - Customer MAC/IP is linked to certain Switch + Port. When customer uses his device to connect to different port on Switch, he doesn’t get access. This can be setup for PPPoE as well.
Second scenario - Radius ignores MAC in DHCP request, and accepts all MAC addresses that are sent from defined Switch + Port value. It means - you connect customer to port and give him certain pool of IPs, Customer can connect router or switch to your equipment and there is no MAC filtering, just you enable port for user.
(In second scenario is good to have max. MAC on one port, Radius can limit it or Switch itself for example in Cisco switch it’s command switchport port-security maximum).
Description :
When switch (or even RouterOS in DHCP Relay mode) sends the DHCP request to Radius, it adds two options: Agent-Remote-Id and Agent-Circuit-Id.
Agent-Remote-Id - identifies the switch itself. Agent-Remote-ID is very simple, almost all vendors send main MAC address of switch.
It can be changed to string. For example in Mikrotik we can define name with Add-Relay-Option command.
In Cisco it’s command ip dhcp snooping information option format remote-id ASW1, where ASW1 is a custom name/string.
Agent-Circuit-Id says where customer sits - VLAN and port number.
Different vendors process it in different way.
Cisco : Agent-Circuit-Id = 0x000403230001.
First 4 bytes are internal values and last 6 bytes we can use. 03230001 means : 0323 - number of VLAN, 00 01 = Ether 0/1
MIkrotik Router OS sends MAC address of physical port where customer is connected, no VLAN information.
What I see is that this feature is not that cool in wireless environment.
It’s used mainly in design, where customers connect to switch. Switch can be connected to ISP via Fiber or through Wireless. Then option82 works well and then makes sense - customer can be linked to one port. It provides security and simple setup option.
In scenario of 90% WISPs customers are connected this way : Customer router/PCs -> CPE -> Wireless -> AP, and option 82 is not that cool. The idea is when CPE runs in bridge and DHCP says - OK, request is from CPE1 (based on Agent-Remote-Id), I allow customers to get IPs from my pool.
But when CPE runs as bridge - UBNT CPE cannot add Option82 to DHCP request, Mikrotik CPE cannot add it also in bridge mode, only in routing mode with Relay setup.
Second option is to add DHCP information in AP, but UBNT doesn’t support it and Mikrotik doesn’t allow to identify CPE, only sends MAC of Relay interface where CPE is connected.
What kind of GPON equipment, let’s check the model if it supports it somehow.
As I know all GPON vendors have own OLT management interface, commands and logic
I use DHCP as part of IPoE in Wireless Distribution.
I think, adding this feature is interesting.
Some IPoE Equipments insert Circuit ID’s inline in CPE HCP requests on the way to the DHCP Server.
Its also interesting for our Baicells connector.
Using this Feature, you could build a easy Perimeter Fence System just by checking the connection entry point and comparing to a filter in the dB of the Client. (additional field?)
Hi Heiko, yes, some CPE equipment can add the Circuit ID/Remote ID information. I think it’s useful when your CPEs are in Bridge mode and you just allow customer router/PC to connect directly and get IP address. Very straightforward authentication.
BUT
As I know Mikrotik can do it only when router is in routing mode and DHCP relay is enabled.
UBNT cannot do it at all, I checked their forum and docs.
I read that Cambium has this feature, which is nice and just shows that Cambium is on different level
So, UBNT is now beta testing Option 82 support in the Airmax AC platform… Supposing it passes the right information, will splynx be able to use Mikrotik DHCP server with Radius to make it work? Better yet, can we have a DHCP server right on the Splynx server and use DHCP Relay point to it? Then we could use the feature with ANY router platform…
I have asked Mikrotik repeatedly to fix this and follow RFC, even to add DHCP Option 82 with Snooping to RouterOS. Aparently it’s on the list of features to implement, but they are taking their time…
The challenge now is how to differentiate dhcp assignments to customers hooked to the same AP-bridge connected to the same PE port. I haven’t test the results on enabling option 82 on the Mikrotik ap-bridges though.