External trigger for CoA

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

External trigger for CoA

Users mailing list
Hi,

We'd like to trigger a CoA based on an external event. Is this possible?

There was a mail thread back in 2010 I was just wondering if something has been changed so far:
http://freeradius.1045715.n5.nabble.com/Freeradius-COA-trigger-td3204376.html

I know the basic approach is to use radclient for that scenario. Unfortunately, radclient does not support TLS/RADSEC which is critical for us.

In case this is not currently possible, can we just implement that? Say to allow getting external events for example from RabbitMQ?

Thanks,
Vadim

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: External trigger for CoA

Alan DeKok-2
On Sep 14, 2020, at 8:58 AM, Vadim Cargatser (vcargats) via Freeradius-Users <[hidden email]> wrote:
> We'd like to trigger a CoA based on an external event. Is this possible?

  Not really.

> There was a mail thread back in 2010 I was just wondering if something has been changed so far:
> http://freeradius.1045715.n5.nabble.com/Freeradius-COA-trigger-td3204376.html

  FreeRADIUS isn't a web server, so it doesn't know that the admin clicked on something in a web UI.  The only way to do this is via RADIUS.

> I know the basic approach is to use radclient for that scenario. Unfortunately, radclient does not support TLS/RADSEC which is critical for us.
>
> In case this is not currently possible, can we just implement that? Say to allow getting external events for example from RabbitMQ?

  FreeRADIUS doesn't listen for events from RabbitMQ.  That's hard to add.  (Though in v4 it's likely a lot easier)

  The solution here is to use v3.0.x from GitHub, because earlier versions don't support CoA over TLS (oops).  Then, use radclient to send packets to FreeRADIUS.

  FreeRADIUS can receive the packets from radclient, and then forward them over TLS to another server.  See sites-available/coa-relay for an example.  You just have to define a home_server which uses TLS for CoA.

  Note that the server can only send CoA packets over connections to home servers.  i.e. connections where FreeRADIUS creates the outbound connection.

  CoA packets *cannot* be sent in the "reverse" path over TLS connections which the client made to FreeRADIUS.  There is no standard for how this should work.  I have patches, but they need testing.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: External trigger for CoA

Users mailing list
Thank you, Alan!

´╗┐On 9/14/20, 4:06 PM, "Alan DeKok" <[hidden email]> wrote:

    On Sep 14, 2020, at 8:58 AM, Vadim Cargatser (vcargats) via Freeradius-Users <[hidden email]> wrote:
    > We'd like to trigger a CoA based on an external event. Is this possible?

      Not really.

    > There was a mail thread back in 2010 I was just wondering if something has been changed so far:
    > http://freeradius.1045715.n5.nabble.com/Freeradius-COA-trigger-td3204376.html

      FreeRADIUS isn't a web server, so it doesn't know that the admin clicked on something in a web UI.  The only way to do this is via RADIUS.

    > I know the basic approach is to use radclient for that scenario. Unfortunately, radclient does not support TLS/RADSEC which is critical for us.
    >
    > In case this is not currently possible, can we just implement that? Say to allow getting external events for example from RabbitMQ?

      FreeRADIUS doesn't listen for events from RabbitMQ.  That's hard to add.  (Though in v4 it's likely a lot easier)

      The solution here is to use v3.0.x from GitHub, because earlier versions don't support CoA over TLS (oops).  Then, use radclient to send packets to FreeRADIUS.

      FreeRADIUS can receive the packets from radclient, and then forward them over TLS to another server.  See sites-available/coa-relay for an example.  You just have to define a home_server which uses TLS for CoA.

      Note that the server can only send CoA packets over connections to home servers.  i.e. connections where FreeRADIUS creates the outbound connection.

      CoA packets *cannot* be sent in the "reverse" path over TLS connections which the client made to FreeRADIUS.  There is no standard for how this should work.  I have patches, but they need testing.

      Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html