Linux – dhcpd class match on hostname or mac address

access-control-listdhcpdhcp-serverlinuxlinux-networking

We are running DHCPD 4.1.1-P1 on a RHEL 6 server. Currently we have 1 class defined for deny purposes. We now have a need for a class match to allow all devices that match a variable and deny everything else. Our current class config is as follows and we are matching on MAC address:

## Define denied

class "denied" {
match if substring (hardware,1,3) = 00:54:36;
}

And in the pool declaration we deny the class:

 pool {
            deny members of "denied";
            range 192.168.100.100 192.168.100.200;
    }

Our new class config will be as follows:

## Define denied

class "denied" {
match if substring (hardware,1,3) = 00:54:36;
}

class "allowed" {
match if substring (hardware,1,3) = 00:42:12;
)

With the pool declaration of:

 pool {
            allow members of "allowed";
            deny members of "denied";
            range 192.168.100.100 192.168.100.200;
    }

My first question is, would we need the deny class once we bring in the allow class? My understanding is that the allow implicitly denies everything else. Also, how could we class match our allow class by hostname instead of MAC address? In my research I have been unable to figure out what the statements would actually look like from the examples I have seen. In /var/lib/dhcp/dhcpd.leases we have 2 lines of possible interest for each lease written.

hardware ethernet xx:xx:xx:xx:xx:xx;
client-hostname "hostname";

I'm guessing here that the if we wanted to class match on hostname it would look something like this:

class "allowed" {
match if substring (client-hostname) = "hostname";
}

And the pool declaration would look like this:

pool {
            allow members of "allowed";
            deny members of "denied";
            range 192.168.100.100 192.168.100.200;
    }

So, summarizing my 2 questions again.

1) does an "allow member" statement in the pool declaration implicitly deny everything else and I would no longer need my deny statement?

2) What is the proper class match syntax to match on hostname?

Best Answer

For the first question:

does an "allow member" statement implicitly deny everything else ?

Well the question is answered in the manpage of dhcpd.conf:

If a pool has a permit list, then only those clients that match specific entries on the permit list will be eligible to be assigned addresses from the pool.
If a pool has a deny list, then only those clients that do not match any entries on the deny list will be eligible.
If both permit and deny lists exist for a pool, then only clients that match the permit list and do not match the deny list will be allowed access.

For the second question match on hostname

do you mean the hostname of the request or the hostname configured on your dhcp server ?

To react on the hostname sent, it should simply be

match if (option host-name = “foobar”);

or for a partial:

match if substring(option host-name,0,2) = “foo”;

Matching on the config-option doesn't seem to work

Related Solutions

How to get a Mac to request a new IP address from another DHCP server running in parallel while NetBooting

These look like logs from your local DHCP server, is that correct? If so, then it would be interesting to see an actual packet trace* to see what's really going on. It may be that the client isn't "storing" the lease at all; it may have gotten an Offer from the global DHCP server, and selected that.

I know Mac OS X's DHCP client, when presented with multiple DHCP Offers from multiple servers, tends to choose the one that has more DHCP Options defined in it. (This is generally a good heuristic for selecting a site's "real" DHCP server instead of being fooled by an accidental rogue DHCP server on the same network -- when someone accidentally enables DHCP service on a box, they generally haven't taken the time to configure it to include a bunch of DHCP Options.) HOWEVER, I don't know what the DHCP client in the Mac's EFI bootrom does when presented multiple offers. I doubt the EFI DHCP client (the DHCP client in ROM) is all that similar to the Mac OS X DHCP client (the DHCP client on disk).

If it turns out that the EFI DHCP client is choosing based on number of DHCP options, you could possibly work around the issue by padding your DHCP server with a bunch of options, like telling the clients what WINS server and NTP server and LDAP server and whatever else to use. You could probably browse the list of registered DHCP options and configure your DHCP server to provide a bunch that seem like they can't hurt.

If it really turns out the client is storing the DHCP lease in NVRAM, you should be able to could clear NVRAM by holding down Cmd-Opt-P-R at boot until you hear a second boot chime. (That's the old "Zap the PRAM" key combo that used to be occasionally necessary on 80's and 90's Macs, but nowadays is almost never useful, but still gets recommended way too often. In this case, however, you have a reasonable expectation that something stored in NVRAM is causing a problem for you, so this might be one of the rare times when it's reasonable.)

*For the packet trace, I'd recommend doing something like this on an independent machine hooked to a switch port that's configured to do port mirroring of the netboot client's switch port:

sudo tcpdump -i en0 -nevvvs0 '(udp port bootpc) or icmp or arp'

Or maybe:

sudo tcpdump -i en0 -nevvvs0 ether host $MACOfEn0

(where '$MACOfEn0' is the MAC address of the netboot client's en0, or whatever interface you're doing this netboot attempt over)

Cisco IOS: One SSID doesn’t pull from the correct DHCP pool

It looks like you have your AP using vlan ID 3 as its native vlan (untagged), while your router is using the default vlan 1 as its native vlan. Create a vlan 1 on your AP as the native vlan and this should correct this behavior.