The Dynamic Host Configuration Protocol (DHCP) is a standard way for client devices to acquire an IP address and other configurations (DNS, Gateway, etc) on a network. This is particularly true in public access networks; as such, DHCP is integral to chilli, and always has been. Of course, it could certainly be more flexible. As it is now, you can’t really do much in the way of customizing your DHCP configurations. I have some ideas for CoovaChilli, and some DHCP discovery to share.
DHCP and MAC Authentication
MAC authentication is a common feature to access controllers that perform DHCP. It allows for authentication to take place automatically without the need of a captive portal or a web browser. CoovaChilli (and ChilliSpot) has the option to authenticate MAC addresses. Using this feature, initial DHCP requests made by the client trigger a RADIUS Access-Request. Subsequent DHCP requests from the client are granted with an authentication state based on the RADIUS response being Access-Accept or Access-Reject. That will change with the macauthdeny option, to have Access-Reject mean complete black-listing, but more could be done.
Here are the DHCP options found in a request from a Windows XP laptop (the Parameter Request List being the same in DHCP Discover messages):
Option 53: DHCP Message Type = DHCP Request Option 61: Client identifier Hardware type: Ethernet Client MAC address: 00:18:xx:xx:xx:xx (00:18:xx:xx:xx:xx) Option 12: Host Name = "laptop" Option 81: FQDN Flags: 0x00 A-RR result: 0 PTR-RR result: 0 Client name: laptop.coova.org Option 60: Vendor class identifier = "MSFT 5.0" Option 55: Parameter Request List 1 = Subnet Mask 15 = Domain Name 3 = Router 6 = Domain Name Server 44 = NetBIOS over TCP/IP Name Server 46 = NetBIOS over TCP/IP Node Type 47 = NetBIOS over TCP/IP Scope 31 = Perform Router Discover 33 = Static Route 249 = Classless static routes 43 = Vendor-Specific Information End Option
DHCP Option RADIUS Attribute -------------------------------- -------------------------------- Option 12: Host Name ChilliSpot-DHCP-Hostname Option 55: Parameter Request List ChilliSpot-DHCP-Parameter-Request-List Option 60: Vendor class identifier ChilliSpot-DHCP-Vendor-Class-Id Option 61: Client identifier ChilliSpot-DHCP-Client-Id Option 81: FQDN ChilliSpot-DHCP-Client-FQDN
Additionally, the VSA named ChilliSpot-DHCP-Options will be optional in either an Access-Accept or Access-Reject, carrying arbitrary options to append to the DHCP response. All attributes are binary octet strings and carry the DHCP options in raw form.
Attributes in the Access-Request contain the corresponding DHCP option value, whereas the ChilliSpot-DHCP-Options contains a list of options, packed as they are in a DHCP message. Combined with the existing support for the Framed-IP-Address RADIUS attribute for IP assignment, this method provides for a high level of DHCP configuration centralized in your RADIUS server.
DHCP Relay Gateway
As the MAC authentication feature has shown, there is no reason why chilli can’t delegate IP assignment. Then why not have chilli act as a DHCP forwarding agent? This would make it possible to centrally manage your DHCP configurations, using a more configurable server. CoovaChilli will be able to forward DHCP requests to a remote DHCP gateway, noting the IP assignment in the response.
This would open up many possibilities… including, perhaps, captive portal settings provisioned through a DHCP server!
Note: You can already use CoovaChilli with access points, like the Cisco Aironet, configured to forward DHCP to chilli.
WPAD and Proxy Autoconfigure
Windows has a feature (in Internet Options, Connections tab, LAN settings button, Automatically detect settings checkbox) whereby browser proxy configurations can be picked up automatically from a network. The Web Proxy Auto Discovery (WPAD) protocol provides browsers (primarily Windows Internet Explorer, and maybe others) with a proxy configuration file. This Proxy Auto-Config (PAC) file can configure the default proxy and can be scripted, as demonstrated in this example, as a banner ad buster. Not without some risks, the configuration is downloaded either based on a DHCP option or a DNS based web server (using the prefix “wpad.” and the system FQDN).
With Automatically detect settings enabled, you will also see the following requests:
Option 53: DHCP Message Type = DHCP Inform Option 61: Client identifier Hardware type: Ethernet Client MAC address: 00:18:xx:xx:xx:xx (00:xx:xx:xx:xx:xx) Option 12: Host Name = "laptop" Option 60: Vendor class identifier = "MSFT 5.0" Option 55: Parameter Request List 1 = Subnet Mask 15 = Domain Name 3 = Router 6 = Domain Name Server 44 = NetBIOS over TCP/IP Name Server 46 = NetBIOS over TCP/IP Node Type 47 = NetBIOS over TCP/IP Scope 31 = Perform Router Discover 33 = Static Route 249 = Classless static routes 43 = Vendor-Specific Information 252 = Proxy autodiscovery End Option
Replying to either the DHCP Discover, Request, or Inform messages specifying the Proxy autodiscovery option will inform Windows of the required WPAD URL:
Option 53: DHCP Message Type = DHCP ACK Option 1: Subnet Mask = 255.0.0.0 Option 3: Router = 10.1.0.1 Option 6: Domain Name Server IP Address: 126.96.36.199 IP Address: 188.8.131.52 Option 51: IP Address Lease Time = 15 minutes Option 54: Server Identifier = 10.1.0.1 Option 252: Proxy autodiscovery = "http://ap.coova.org/wpad.dat" End Option
With the option specified, and since DHCP takes priority over any DNS based WPAD source, Internet Explorer happily takes the configuration. Even though my Mac sends the following in a DHCP Discover message:
Option 53: DHCP Message Type = DHCP Discover Option 55: Parameter Request List 1 = Subnet Mask 3 = Router 6 = Domain Name Server 15 = Domain Name 112 = NetInfo Parent Server Address 113 = NetInfo Parent Server Tag 78 = Directory Agent Information 79 = Service Location Agent Scope 95 = Lightweight Directory Access Protocol 252 = Proxy autodiscovery Option 57: Maximum DHCP Message Size = 1500 Option 61: Client identifier (6 bytes) Option 51: IP Address Lease Time = 90 days Option 12: Host Name = "iMac" End Option
The Mac does not use the returned Proxy Autodiscovery option, at least not with Safari.
Still, interesting stuff… and could pose a problem if you are at a hotspot and your Windows laptop auto-configures a proxy server that is not accessible in the walled garden!