dhcpd and known/registred hosts in fog



  • Hi everybody,

    so far, no dhcpd had been in use at the place where I work at the moment. The reason is, that the IT-guys over here do not want anybody to be able, to just plug in their own notebooks into a network-dose (right word?) and the be able to surf in the internet.
    Since we are willing to roll out fog for all 450 computers we operate, we have to find out, how to resolve this issue, because I think, fog needs dhcp and manually handling all the IP-addresses is not the most elegant way.

    My idea was to use the isc-dhcp-server, which was configured by the fog-installer.

    There I would define a block of dhcp-IP-addresses which shall be used for fog-operations, where the clients to not get a gateway (so they cannot go to the internet at this point, but can conenct to the fog-server).
    And I would define a block of dhcp-IP-addresses, where an internet-gateway is provided. But within this block I would use a deny unknown-clients; statement.

    My questions now are:

    • Is there another (perhaps more elegant) way to do this?
    • How do I get the mac-addresses of the hosts, which have already been registrered to the fog server into the dhcpd.conf (Or another file which I can include in the dhcpd.conf)?
      Of course I could do a comp-paste thing, but there will be too many errors within time.
      Where are the hosts, which are registred to fog, stored? Do I have to write an SQL-script, that accesses the fog-db or are there other tools to get this list automatically?

    Thanx in advance
    Cheers

    Rainer



  • @george1421 said in dhcpd and known/registred hosts in fog:

    select hostName,hmMAC,hmPrimary from hosts left join hostMAC on hosts.hostID=hostMAC.hmHostID where hostMAC.hmPrimary<>1;

    Works perfect. Thank you again!
    Cheers

    Rainer


  • Moderator

    @tywyn Well there is another field that identifies the primary mac address for each host. You may find that some computers have multiple mac addresses (ie wired and wireless interfaces). Also we found that Win10 has a unique feature to create random mac addresses (which is a pain for NAC/NAP).

    There is a field in the hostMAC table that indicates which mac address is primary, but the query doesn’t work like I expect because the query is testing on the join product. One might think that this would work correctly.

    select hostName,hmMAC,hmPrimary from hosts left join hostMAC on hosts.hostID=hostMAC.hmHostID where hostMAC.hmPrimary=1;

    But it only returns with hmPrimary == 0

    But this one does work correctly
    select hostName,hmMAC,hmPrimary from hosts left join hostMAC on hosts.hostID=hostMAC.hmHostID where hostMAC.hmPrimary<>1;

    This is really troubling way to get the right answer.

    [Edit]
    Even switching the query around to search on the mac table returns backwards.

    MariaDB [fog]>  select hostName,hmMAC,hmPrimary from hostMAC join hosts on hosts.hostID=hostMAC.hmHostID where hostMAC.hmPrimary=1;
    +-----------------+-------------------+-----------+
    | hostName        | hmMAC             | hmPrimary |
    +-----------------+-------------------+-----------+
    | testsys1       | 00:50:56:94:f5:21 | 0         |
    | testsys2       | 00:50:56:87:3e:1e | 0         |
    | testsys3       | 00:50:56:87:b1:15 | 0         |
    | toma           | 90:b1:1c:60:d2:14 | 0         |
    | testsys5       | 00:0c:29:57:90:3b | 0         |
    | testsys9       | 80:19:34:11:13:3f | 0         |
    | testsys10      | 90:e2:ba:05:6e:a7 | 0         |
    | testsys21      | 90:e2:ba:05:6e:a6 | 0         |
    +-----------------+-------------------+-----------+
    
    


  • @george1421 said in dhcpd and known/registred hosts in fog:

    select hostName,hmMAC from hosts left join hostMAC on hosts.hostID=hostMAC.hmHostID;

    Hi George,

    thank you for the hint with the NAC-Systems. Sounds very interessting but also like big pile of work, if you want to implement this :)
    Also thanx for the SQL-statement. Works fine!!

    The only thing that I am not sure about. When I look at the list of hosts and mac-addresses, there are two hosts, which have 2 mac-addresses: R222DOZENT and R222TN19.

    R222DOZENT 00:25:11:xx:xx:xx
    R222DOZENT 08:00:27:xx:xx:xx
    [...]
    R222TN01 00:25:11:xx:xx:xx
    R222TN02 00:25:11:xx:xx:xx
    [...]
    R222TN19 00:25:11:xx:xx:xx
    R222TN19 02:00:4c:xx:xx:xx
    R222TN20 00:25:11:xx:xx:xx
    [...]
    
    

    Strange thing is also, what the second MAC-Address looks like: Usually we have macs starting with 00:25:11 and now I see 08:00:27:xx:xx:xx and 02:00:4c:xx:xx:xx

    Cheers, Rainer


  • Moderator

    I have to say managing static IP addresses for 450 hosts is quite a big task. When I first read your post I said to my self “oh my god that’s a big job”. This type of control is usually done with a NAC/NAP tool that will dynamically enable/disable network ports based on the identity of the plugged in computer. Microsoft as a built in NAP service or you can use other tools. I’ve used another FOSS solution called packetfence to control what has access when someone plugs in a device.

    To your questions

    1. Yes use a NAC/NAP system to limit access.
    2. A quick way to get host information out of fog is to just use the export function in the host management page. Then import into excel and parse the mac addresses out. This sql will help you get an output of host name vs mac address select hostName,hmMAC from hosts left join hostMAC on hosts.hostID=hostMAC.hmHostID;
      You can use it to write a script to automatically add the registered hosts into the isc dhcp server. It will take some bash programming skills, but its possible. Your workflow will be to manually register hosts in FOG then run the script to export the hosts to isc-dhcp.

    I would say your idea should work, but make take more effort than you want to put in and is not the right tool to use to restrict access to your network.


Log in to reply
 

369
Online

39.3k
Users

11.0k
Topics

104.4k
Posts

Looks like your connection to FOG Project was lost, please wait while we try to reconnect.