manualshive.com logo in svg

FNGi DHCPatriot Version 6, Operation Manual

Share
Download
FNGi DHCPatriot Version 6 Operation Manual Download Page 32

Chapter 6: Authenticated DHCP

Configuring Authenticated DHCP

Configuration of the DHCPatriot system for use with authenticated DHCP is slightly 
more involved than configuration for standard DHCP.  The following sections outline 
each element that must be configured in order to use authenticated DHCP.  Generally 
speaking: an Authentication server or servers must be specified; at least the default 
Captive Portal definition must be configured; a Shared Network must be setup; at least 
one Unauthenticated and one Authenticated subnet must be added.  Instructions for 
each of these things follow as well as other less mandatory things related to 
authentication including report viewing.  Not all topics are covered here as some are 
covered elsewhere in the manual in more appropriate sections.

Authentication Servers

There are two types of Authentication Servers, the internal (local) or built-in server, and 
an external RADIUS server.  
These two types of servers are 
generally mutually exclusive, 
however, there is nothing 
preventing you from configuring 
both in some type of failover 
manner, or using one for 
authentication and the other for 
accounting records.  To enter 
the Authentication server 
configuration area, expand the 
Auth DHCP Config menu and 
click on Authentication.  You 
should get a screen that looks 
like figure 6.1.

Please note that as of 5.3.0, 
two features have been 
addded.  A new packet, interim-update (ALIVE) accounting packets can be sent from 
the DHCPatriot system to the RADIUS server. Turning this setting on in System 
Configuration -> General Setup will cause the DHCPatriot system to send an ALIVE 
packet each time the lease is renewed.  This could be problematic on systems with 
many broken devices sending lots of renews rapidly.  Secondly, forwarding of RADIUS 
accounting packets to one or more arbitrary destinations has been added.  A new type 
of server (AFOR) has been added to the authentication setup.  The DHCPatriot does 
not wait for an accounting response with these types of destinations.  This feature can 
be used for sending accounting data to Sandvine or Procera   traffic shapers or various 
CALEA devices, for example.

Chapter 6: Authenticated DHCP

32

DHCPatriot Version 6 Operations Manual  This document © 2017 First Network Group Inc.  All Rights Reserved

Figure 6.1

Summary of Contents for DHCPatriot Version 6

Page 1: ...Operations Manual Version 6...

Page 2: ......

Page 3: ...17 Serial Console Access 17 Console from AUX on a Cisco 17 Console from an OCTAL cable connected to an ASYNC port 18 Console from a serial DB9 port on a standard PC 18 Secure Shell SSH Access 19 Conf...

Page 4: ...henticated DHCP 32 Configuring Authenticated DHCP 32 Authentication Servers 32 Internal Built in Authentication 33 External 33 Captive Portal 33 Adding 34 Editing 35 Removal 35 Shared Network Configur...

Page 5: ...ork Configuration 42 Shared Network 42 Adding 43 Editing 43 Removal 43 Dynamic Subnet 43 Adding 44 Editing 44 Disable 44 Removal 44 Static Subnet 44 Adding 45 Editing 45 Removal 45 Maintenance Subnet...

Page 6: ...1 Deny Mac Address 52 View Address Usage 52 Search Sessions 53 Possible hijacked IP Addresses 55 Chapter 9 DHCPv6 Configuration and Maintenance 56 IPv6 Primer 56 DHCPv6 Primer 57 Configuration and Mai...

Page 7: ...IP Delete 79 Sticky IP List 80 Built in Authentication 80 List Customers 80 Add Customer 81 Edit Customer 81 Suspend Customer 82 Enable Customer 82 Delete Customer 83 Change Password 83 Deny MAC Addre...

Page 8: ...s 93 Authentication Problems 95 Chapter 13 User Based Tasks for Customer Service 97 Suspend User 97 Built in Authentication User Maintenance 98 Adding a User 98 Editing a User 99 Suspending One or Mor...

Page 9: ...ome other backbone provider to link the customers to the Internet then a single DHCPatriot system cannot be used centrally in this situation An additional system will be needed for that separate pop I...

Page 10: ...ferent cable may be needed in your region The power supply will accept a standard PC cable from your region Please note that if the DC version is purchased it will not come with power cabling Two seri...

Page 11: ...customer network that consists of Ethernet based DSL For the purposes of this example we will assume that the DSLAM is providing only bridging services not routing On the Cisco 7200 the Ethernet from...

Page 12: ...ptional RADIUS server The optional RADIUS server will again respond with Access Accept The DHCPatriot system marks the device as being online in its database and sends an accounting start to the optio...

Page 13: ...ple the optional console server may be used in this example network allowing connection to the DHCPatriot for some administrative tasks Please note that as of 5 3 0 it is possible to configure a third...

Page 14: ...age notify First Network Group immediately Packed in the boxes are all the parts you should need to mount your server in a telco or server rack In addition to the parts listed in the packing list abov...

Page 15: ...ell ventilated Do not set up your DHCPatriot system in an area where heat electrical noise or electromagnetic fields are generated The area chosen must have close access to a grounded AC power outlet...

Page 16: ...e into an AC power outlet with the proper specifications The red crossover cable supplied is used to connect the devices to each other Connect the cable to the ports on each unit as shown in figure 3...

Page 17: ...s and Apple Mac systems implementations The pin assignment of the serial port and RJ45 port are supplied for use in other situations Console from AUX on a Cisco Plug one end of a Cisco flat black cabl...

Page 18: ...the right Attach this Null Modem shell to your favorite serial port on your standard PC laptops work great in this mobile type situation Microsoft Windows based instructions Using Hyperterminal or equ...

Page 19: ...ty certificate Click on Yes to allow Putty to permanently accept the certificate 6 A username prompt will appear Type the username admin and press enter 7 A password prompt will appear Type your passw...

Page 20: ...r the admin user This password is widely known at least among DHCPatriot system owners and should not be used after the IP address is set Once a suitable password is chosen press 7 and then enter to b...

Page 21: ...n NOTE It is important that both the primary and secondary DHCPatriot devices be set to the same domain name The next task to perform is setting the domain name At this point you should be back at the...

Page 22: ...e settings are applied immediately after receiving confirmation Type the number of the speed and duplex you wish to set and press enter The chosen setting will be displayed Press 1 to confirm and 0 to...

Page 23: ...enu to find the rule you wish to delete Then press 1 and then enter You will be prompted for a rule to delete Enter the number of the rule that you wish to delete Then press enter It should display de...

Page 24: ...e displayed It is up to you to interpret this output as the possibilities are to numerous to list here Web Administration Interface Account Setup NOTE perform these actions on only ONE of the DHCPatri...

Page 25: ...te and press enter You will get a confirmation message that the user was deleted and the list will refresh You will notice that the user is gone from the list You may continue to delete other users if...

Page 26: ...s point you should be logged in If you instead receive a password error verify that you entered the login and password correctly If you are still unable to login revisit the Menu Configuration Interfa...

Page 27: ...Devices are considered old and suspended when the time period you specified passes with no DHCP activity from the device Devices will be deleted after being suspended for the time period you specify P...

Page 28: ...s not checked then the user has access to only the Web Administration Interface The two Admin User Restriction Auth and Standard settings are used for restricting user access to certain networks This...

Page 29: ...when it asks if you are sure It is recommended that you not delete any rules that are marked FNGi as these are used by First Network Group to gain access to the devices to assist you in troubleshootin...

Page 30: ...ng the limit displayed entries box To open system logs open the System Configuration menu and then click on System Logs A screen similar to figure 5 3 will appear Select the appropriate entries and en...

Page 31: ...in figure 5 5 This has the function of visualizing and editing what apps can be accessed by what level of administrator The various apps will be grouped together by what admin level is currently set f...

Page 32: ...uring both in some type of failover manner or using one for authentication and the other for accounting records To enter the Authentication server configuration area expand the Auth DHCP Config menu a...

Page 33: ...servers in either a round robin or a failover configuration You can setup multiples of each type of authentication server access and accounting You can specify whether they are round robin or failove...

Page 34: ...Captive Portal definition will show a popup screen as shown in figure 6 4 and 6 5 respectively Please note that these will not change until Commit has been clicked when editing A new feature was added...

Page 35: ...the definition Click on OK The definition will be removed at that point Shared Network Configuration The DHCPatriot system can support one or more authenticated DHCP networks Each network can support...

Page 36: ...to choose a descriptive name The name can only contain dashes underscores and alpha numeric characters Choose the desired lease length The default 8 hours is a good choice but there are both higher a...

Page 37: ...ease lengths are available however Fill out the rest of the form according to the subnet values On screen help is available if needed Click on Commit and a new subnet will appear in the list at the bo...

Page 38: ...should be pretty straight forward Click on Commit Editing This is much the same as adding Click on the Edit link of the desired Authenticated Subnet and the form will be auto completed with the values...

Page 39: ...tic subnet configuration expand the Auth DHCP Config menu then click on Static Subnet A screen similar to that shown in figure 6 9 should appear Adding Choose the Shared Network that the Static Subnet...

Page 40: ...n in figure 6 10 simply expand the Auth DHCP Config menu and click on Maintenance Subnet A screen similar to the one in figure 6 10 should appear On this screen you can add edit or delete maintenance...

Page 41: ...name and password at the authentication window It also shows the current IP address and type if the user is currently online It also notes whether the user or device is assigned a static IP address St...

Page 42: ...t support broadcast DHCP on the local LAN local to the DHCPatriot but rather requires that the traffic be relayed through a router or some other relay agent Cisco devices become relay agents when the...

Page 43: ...red changes and click on Commit The changes should be reflected in the list at that point Removal To remove a Shared Network click on Delete A confirmation dialog will appear Click on OK and the Share...

Page 44: ...disabled subnet will no longer be available for leasing of IP Addresses It will still show up in the reports along with any users who currently have an IP Address out of the subnet but the users will...

Page 45: ...er may be set up as a DHCP relay agent by having ip helper address configured on an ethernet interface facing client devices If the primary IP address on that ethernet interface is NOT part of a DHCP...

Page 46: ...ed here They are covered here because it is assumed that systems administrators will be performing these tasks as opposed to tech support or customer service We thave grouped tasks common to those dis...

Page 47: ...based on MAC Address or Option 82 information Option 82 circuit id or remote id can be used to match the client In addition a TFTP file may optionally be specified To access Static IP Assignment expan...

Page 48: ...client s that need a boot file or configuration file of some kind If a TFTP server was specified in the Shared Network configuration and was further specified as local meaning that the DHCPatriot itse...

Page 49: ...ng you what is going to be changed and asking if you are sure This feature lets you change an assignment to a different file without visiting every single instance that is assigned to the file in both...

Page 50: ...ure 8 1 should appear Please note that the username field will not be available if accessed from Standard DHCP Please note that as of 5 3 0 static IP addresses assigned via RADIUS now show up in this...

Page 51: ...ed to clients by the DHCP server at all To access Exclude IP Address expand either the Auth DHCP Config or the Standard DHCP Config menu Click on Exclude IP Address A screen similar to figure 8 2 shou...

Page 52: ...e various functions should you need it View Address Usage The DHCPatriot system makes it easy to confirm the current and past status of the networks and subnets configured on the system The View Addre...

Page 53: ...screen you ll notice that each subnet is clickable Clicking a subnet will bring up a screen similar to figure 8 6 This screen shows a list of devices that currently are using an IP address The lease s...

Page 54: ...the equipment as shown in figure 8 7 Administrative notes about the device can also be added edited and viewed here To add or edit an administrative note click on the Add Edit Note link or if a note...

Page 55: ...ven an IP address by a DHCP server it will first do an arp request to find out if any device is using the IP address If it is found that another device is already using the address the client will sen...

Page 56: ...size of the entire planet It helps to understand that there is a fundamental philosophy change in IPv6 We no longer think in terms of a single address We think in terms of subnets And by subnet we mea...

Page 57: ...the number of households and businesses Here is a simple chart showing IPv6 size DHCPv6 Primer Most current clients that support IPv6 will have at least two modes of operation that can be set manual a...

Page 58: ...v4 address space which is 232 IP addresses A 48 is 280 IP addresses However it is designed to provide for future expansion in the end user s network Current standards also state that any subnet on any...

Page 59: ...DHCP server have some limitations which prevent the tracking of sessions and authentication as of 6 1 0 sessions are now tracked Customers taking advantage of the DHCPv6 features in the DHCPatriot sys...

Page 60: ...ally a prefix delegation may be specified under DHCPv6 IPv6 Prefix Delegation figure 9 5 Prefix delegation is necessary under IPv6 as NAT and private addresses can no longer be used by a customer rout...

Page 61: ...mically assigned via DHCPv6 or simply because you need a client to vacate a certain IP address for other purposes The DHCPatriot supports excluding an IP address from being assigned dynamically Enter...

Page 62: ...Sessions for DHCPv6 see Figure 9 9 Again this is a similar concept to its counterpart in DHCPv4 There are some key differences however On the search parameter side a new search target DUID is introdu...

Page 63: ...ddress 2001 db8 0 e8 ffff ffff ffff fffe Mar 8 21 06 47 patriot 2 dhcpd Sending Relay reply to 2001 db8 0 f b port 547 Exchanges such as this one above can be useful for noting that there was a DHCPv6...

Page 64: ...pened allowing access to services that may need monitoring and DHCP ranges will be created so that monitoring can be done of DHCP by actually performing DHCP operations This ensures that the service r...

Page 65: ...eturn the following status information about services as listed in the table below Disk Space OID 1 3 6 1 4 1 2021 51 1 4 1 2 9 68 73 83 75 83 80 65 67 69 1 This OID will return down 999 when disk spa...

Page 66: ...usDispatch 1309195954 1 3 6 1 4 1 2021 51 10 1 14 STRING patriot 1 syslogd 1309195984 1 3 6 1 4 1 2021 51 10 1 15 STRING patriot 1 tftpd 1309195984 1 3 6 1 4 1 2021 51 10 1 16 STRING patriot 1 todTCP...

Page 67: ...that are utilizing Authenticated DHCP The best way to monitor this service is by connecting to port 80 to see if some sort of data is returned The monitoring is available via SNMP however OID 1 3 6 1...

Page 68: ...ill return an integer equal to the average CPU percentage used on the device over a recent five minute interval Percentage of CPU Used for IO OID 1 3 6 1 4 1 2021 50 10 101 1 This OID will return the...

Page 69: ...Per Second OID 1 3 6 1 4 1 2021 50 46 This OID will return the average number of database queries per second over the most recent five minute interval This number is rounded to the nearest whole numbe...

Page 70: ...1 gateway address result from 1 3 6 1 4 1 2021 50 80 1 will retrieve used IP address number from the chosen subnet 1 3 6 1 4 1 2021 50 100 1 gateway address result from 1 3 6 1 4 1 2021 50 80 1 will r...

Page 71: ...e this 1 3 6 1 4 1 2021 50 100 1 10 31 128 1 INTEGER 253 Total Dynamic data per network 1 3 6 1 4 1 2021 50 110 1 2 for type of network auth standard will list all available dynamic networks for which...

Page 72: ...as well as total used IPs for each dynamic network For example using FNGiTEST ID of 15 This command will get the used dynamic IP addresses for FNGiTEST 15 snmpget On v1 c lnx snmp patriot 1 network1 n...

Page 73: ...DHCPatriot system also has an extensive health monitoring function that shows the current status of the system as well as some graphs This function shows all services that may be monitored and their c...

Page 74: ...hat is not to say that the server status should be thought of as a replacement for remote monitoring with a monitoring system It can be mistaken as it is all done via SNMP which is limited to noting t...

Page 75: ...istrators You should get a screen similar to figure 11 1 Fill out the name username and password or use encrypted password if you have a pre encrypted password to be used The encrypted password must b...

Page 76: ...a user to be suspended on the DHCPatriot system It will suspend all devices belonging to the specified username The default admin level required for this feature is five This feature behaves the same...

Page 77: ...User and clicking on Suspend Multiple Users The feature is accessed using a POST action string as follows https patriot domain cli function AuthMassSuspend username username password password note no...

Page 78: ...k1 net cli function SuspendEnable username apiuser password apipass action unsuspend user linux Success will present the text RETURN 1 Failure will present RETURN 0 with some text given below as a rea...

Page 79: ...yIPs action ADD Stickymac Stickyusername bobjim Stickyip 3 3 3 6 Stickynote Success will present the text RETURN 1 Failure will present RETURN 0 with some text given below as a reason for the failure...

Page 80: ...rsion 1 0 encoding UTF 8 result record username username mac 00 02 04 ff ee dd mac stickyip 1 2 0 55 stickyip note note record result Built in Authentication This API allows users to be configured in...

Page 81: ...ministration Interface The GET string to send is as follows https patriot domain cli function BAAddCustomer username user password pass identifier sometext u ser someuser pass somepass staticip someip...

Page 82: ...look like for suspending a customer https patriot network1 net cli function BASuspendCustomer username apiuser password apipass user jsmithso n Success will present the text RETURN 1 Failure will pre...

Page 83: ...r Auth DHCP Actions in the Web Administration Interface The GET string to send is as follows https patriot domain cli function BAChangePass username user password pass action changepass us er someuser...

Page 84: ...ma c MAC Here is an example of what a properly formatted URL might look like for removing a user from the list of denied MAC addresses https patriot alpha network1 net cli username apiuser password a...

Page 85: ...erly formatted URL that would return all session records not recommended is as follows https patriot network1 net cli function SearchSessions username apiuser password apipass action search user mac i...

Page 86: ...ser jim but only if his MAC address is 00 00 89 0c 51 13 and he is currently online and only if some part of the session overlapped the start stop time period given Get Network Config This API call wi...

Page 87: ...nown client assignments in the Web Administration Interface A sample of the result is shown below result record IDENT John Doe IDENT REMOTE_MAC 00 03 05 fc fe fa REMOTE_MAC tftp_file ID 1 ID record re...

Page 88: ...this works more like a replacement as you will need to fill out all of the fields with the values you want in the entry If the field is left blank then it will become blank in the entry A properly for...

Page 89: ...Standard Static Assignment can be found in the Web Administration Interface under Standard DHCP Actions Please note that an id of the appropriate subnet must be obtained from the Get Network Config A...

Page 90: ...the values you want in the entry If the field is left blank then it will become blank in the entry A properly formatted URL looks like https patriot network1 net cli function StaticIPassign username...

Page 91: ...er may also get an authenticated address this is usually a public address If the customer is getting a private unauthenticated address they have not yet registered or they are suspended If they cannot...

Page 92: ...is in the known client table Standard DHCP Actions Known Client on the Web Administration Interface Contact your network administrator if you have questions about this It could also be that the client...

Page 93: ...erience can be boiled down to either they cannot get an IP address to begin with or they cannot keep the IP address Things that might cause these problems can be boiled down to problems with the clien...

Page 94: ...he server This should only come from one of the servers but may come from both under certain circumstances The client should send a DHCPREQUEST for the offered address The server should respond with D...

Page 95: ...er try a different device to see if that resolves the problem As noted previously the above is not a comprehensive list nor does it give instruction of how to perform these operations on the client If...

Page 96: ...again 2 Cannot authenticate MAC registering to user USER at this time It is currently online The current session will expire at TIME 2 1 This means that the MAC address is already seen as online by th...

Page 97: ...int the user device s will be suspended and added to the list at the bottom Multiple users may be suspended by clicking on the Suspend Multiple Users link in the username field The username box will c...

Page 98: ...dding a User To add a user complete the form similar to the one shown in figure 13 2 Identifier is an optional field and should be used for the customer s name or some other identifying information su...

Page 99: ...sers will be suspended in the Auth DHCP Actions Suspend User area This note will be applied there and will be shown to the user on the Captive Portal screen Contact our Billing office at phone for exa...

Page 100: ...is no harm in leaving this here If further suspended users are deleted it will merely replace this data Built in Authentication User Import New in version 5 4 0 the DHCPatriot system now supports imp...

Page 101: ...on your hard drive that contains the csv file to import Choose the file and click OK Click on the Commit button The DHCPatriot will parse the file and display a preview of what it is going to import...

Page 102: ...has a static ip centreclean walleye 00 01 6C 52 8E 96 actrisco efy9 qr7 00 01 6C 67 5A 97 bbwessel BB w3ss3l 00 03 47 D1 C4 F0 westsidesauk azaz 00 03 6D 1A 64 F4 clarsue 8d y3cnw 00 04 5A 42 12 18 p...

Page 103: ...13 10 If there are any errors they will be displayed on this screen The imported user devices should appear in Auth DHCP Reports View Authenticated Devices Chapter 13 User Based Tasks for Customer Ser...

Page 104: ...p Inc 4 6 Perry St PO Box 1662 Wapakoneta OH 45895 DHCPatriot network1 net 800 578 6381 opt 3 DHCPatriot is a trademark of First Network Group Inc http www network1 net All other names and brands are...

Reviews:

No comments

Brands by name

Popular brands

Load more brands