Solved: Using DHCP for NC

kenlars_ · ‎05-12-2011

I have hundreds (yes, hundreds) of NC Connection Profiles which differ from each other in either the address range to be used or the DNS servers and domain search parameters to be used. Today, users get assigned to roles and subsequently to NC connection profiles based on information returned in the Radius Class attribute.

I'd like to simplify my SA configuration by moving this complexity to a DHCP server. I'd like to have a single role and NC connection profile which requests address assignment and DNS settings from a DHCP server. Ideally, I'd pass some identifier of the SA (address or name) and the Radius Class attribute to the DNS server, and it would respond with the information to configure the IP stack. I know I can pass options to the DHCP server, but I don't really understand how to put it together. I don't understand how to configure the SA, and I don't know what I might use for the DHCP server to make this scale to 30 SAs globally handing addresses out from a total of 4 /16 ranges. I'm thinking Infoblox appliances or some other DHCP appliance might do the job.

Anyone have any experience with this and want to give me some recommendations? Also, I understand that the SA does not return the DHCP-assigned address when the NC session ends. If a user logs in again while his/her lease is still valid, are they somehow re-assigned to the same address? Can the lease be renewed while the NC session is running?

I'd love for someone from Juniper to say they just wrote the definitive application note for using DHCP with NC and need people to review it. But I'll take help from anywhere.

Thanks -

Ken

stine_ · ‎05-30-2011

Ken, I am doing this now (albeit not on such a scale). I'm using ISC dhcpd on CentOS 5.5, so my examples are from this environment. The setup requires two things: 1) identifying tag in the dhcp request and 2) classes defined in the dhcp server matching those tags.

In my configuration, I use tags 224 and 225 in the connection profile. 224 represents the realm/role, and 225 represents my SA. On my dhcp servers, i have classes defined that match these tags/values.

Here's my SA configuration for one role:

NC Connection profile     Name: internal-profile     Ip address assignment: DHCP     DHCP server 10.11.12.84     DHCP options         224    string    internal         225    string    sslvpn      (the rest of the settings are immaterial)

On my dhcp server I define the following

option ive-role code 224 = text; option ive-system code 225 = text;  class "local clients" {     match if not (option vendor-class-identifier = "JNPR.IVE"); }  class "sslvpn internal clients" {     match if (( option vendor-class-identifier = "JNPR.IVE" ) and         ( option ive-system = "sslvpn") and         ( option ive-role = "internal")) ; }  subnet 10.11.12.0 netmask 255.255.254.0 {     pool {         allow members of        "local clients";         deny dynamic bootp clients;         option routers            10.11.12.1;         option subnet-mask        255.255.255.0;         option domain-name        "domain2.local";         option domain-name-servers    10.11.12.84,10.11.12_;         option domain-search-order    "domain2.local,tranzdata.local";         range                10.11.12_ 10.11.12_.224;     }     pool {         allow members of        "sslvpn internal clients";         deny dynamic bootp clients;         option routers            10.11.12_.1;         option subnet-mask        255.255.255.0;         option domain-name        "internaldomain.local";         option domain-name-servers    10.11.12.84,10.11.12_.85;         option domain-search-order    "domain2.local,internaldomain.local";         range                10.11.12_.225 10.11.12_.254;     }

Also, the "JNPR.IVE_" vendor-class-identifier is sent by SA._

Any user who starts network connect logged into system 'sslvpn' and is assigned role 'internal' will be served addresses out of the 2nd pool defined above. Any user who logs in and is NOT assigned role 'internal' will be served addressed out of the 1st pool.

I haven't done this with Windows or Solaris DNS servers, so I don't know what any differences might be.

EDIT: multiple dhcp servers work fine (at least using ISC dhcpd failover)

View solution in original post

RexPGP_ · ‎05-18-2011

Spoiler

Years ago I tried and it worked well. It was real easy to do, no issue setting up. Handled leases properly no user impacrt. I htink my NC was shorter than leases. I also had a few extra class C IPs incase

My problem was if the Microsoft DHCP server was not available all new NC stopped. So Juniper was up and no one got in until DHCP server was rebooted.

stine_ · ‎05-30-2011

Ken, I am doing this now (albeit not on such a scale). I'm using ISC dhcpd on CentOS 5.5, so my examples are from this environment. The setup requires two things: 1) identifying tag in the dhcp request and 2) classes defined in the dhcp server matching those tags.

In my configuration, I use tags 224 and 225 in the connection profile. 224 represents the realm/role, and 225 represents my SA. On my dhcp servers, i have classes defined that match these tags/values.

Here's my SA configuration for one role:

NC Connection profile     Name: internal-profile     Ip address assignment: DHCP     DHCP server 10.11.12.84     DHCP options         224    string    internal         225    string    sslvpn      (the rest of the settings are immaterial)

On my dhcp server I define the following

option ive-role code 224 = text; option ive-system code 225 = text;  class "local clients" {     match if not (option vendor-class-identifier = "JNPR.IVE"); }  class "sslvpn internal clients" {     match if (( option vendor-class-identifier = "JNPR.IVE" ) and         ( option ive-system = "sslvpn") and         ( option ive-role = "internal")) ; }  subnet 10.11.12.0 netmask 255.255.254.0 {     pool {         allow members of        "local clients";         deny dynamic bootp clients;         option routers            10.11.12.1;         option subnet-mask        255.255.255.0;         option domain-name        "domain2.local";         option domain-name-servers    10.11.12.84,10.11.12_;         option domain-search-order    "domain2.local,tranzdata.local";         range                10.11.12_ 10.11.12_.224;     }     pool {         allow members of        "sslvpn internal clients";         deny dynamic bootp clients;         option routers            10.11.12_.1;         option subnet-mask        255.255.255.0;         option domain-name        "internaldomain.local";         option domain-name-servers    10.11.12.84,10.11.12_.85;         option domain-search-order    "domain2.local,internaldomain.local";         range                10.11.12_.225 10.11.12_.254;     }

Also, the "JNPR.IVE_" vendor-class-identifier is sent by SA._

Any user who starts network connect logged into system 'sslvpn' and is assigned role 'internal' will be served addresses out of the 2nd pool defined above. Any user who logs in and is NOT assigned role 'internal' will be served addressed out of the 1st pool.

I haven't done this with Windows or Solaris DNS servers, so I don't know what any differences might be.

EDIT: multiple dhcp servers work fine (at least using ISC dhcpd failover)

View solution in original post

kenlars_ · ‎05-30-2011

Awesome response!

Thanks for the help. As we apparently are both catching up on work on a US holiday, I appreciate the time you took to document what is working for you.

Ken

Using DHCP for NC

Using DHCP for NC

Re: Using DHCP for NC

Re: Using DHCP for NC

Re: Using DHCP for NC

Re: Using DHCP for NC