FreeRadius Accounting.

classic Classic list List threaded Threaded
9 messages Options
| Threaded
Open this post in threaded view
|

FreeRadius Accounting.

Pizu
Hi,

From the proxy.conf is it possible to forward the accounting packets
towards multiple firewalls? Currently am managing to send only towards only
1 firewall and the LDAP group is not being forward.

Is it possible to have an example? as I cannot find anything in the
documentation :(

Regards,

Pizu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius Accounting.

Alan DeKok-2
On Apr 7, 2021, at 12:06 PM, Pizu <[hidden email]> wrote:
> From the proxy.conf is it possible to forward the accounting packets
> towards multiple firewalls?

  See mods-available/replicate

> Currently am managing to send only towards only
> 1 firewall and the LDAP group is not being forward.

  LDAP-Group *cannot* go into a RADIUS packet.  That's just not how RADIUS works.

  Even if it could go into a RADIUS packet, the firewall wouldn't know what to do with it.

  You should instead explain what you're trying to do.  Maybe there's another way to do it.  Why does the firewall need LDAP-Group?  What will it do with it?  What part of the firewall documentation suggested that it would understand LDAP-Group?

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius Accounting.

Pizu
Hi Alan,

Thanks for your reply.

Thanks for pointing the replicate mod, will test it out.

What I mean with LDAP-Group is I need to forward the group name that is
assigned to the user towards the firewall (accounting) in order for the
firewall to open the access that is assigned. RSSO

Regards,

Pizu


On Wed, 7 Apr 2021 at 19:01, Alan DeKok <[hidden email]> wrote:

> On Apr 7, 2021, at 12:06 PM, Pizu <[hidden email]> wrote:
> > From the proxy.conf is it possible to forward the accounting packets
> > towards multiple firewalls?
>
>   See mods-available/replicate
>
> > Currently am managing to send only towards only
> > 1 firewall and the LDAP group is not being forward.
>
>   LDAP-Group *cannot* go into a RADIUS packet.  That's just not how RADIUS
> works.
>
>   Even if it could go into a RADIUS packet, the firewall wouldn't know
> what to do with it.
>
>   You should instead explain what you're trying to do.  Maybe there's
> another way to do it.  Why does the firewall need LDAP-Group?  What will it
> do with it?  What part of the firewall documentation suggested that it
> would understand LDAP-Group?
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius Accounting.

Alan DeKok-2
On Apr 7, 2021, at 1:15 PM, Pizu <[hidden email]> wrote:
> What I mean with LDAP-Group is I need to forward the group name that is
> assigned to the user towards the firewall (accounting) in order for the
> firewall to open the access that is assigned. RSSO

  So read the firewall documentation to see which attribute it needs.

  I can guarantee you that it's not LDAP-Group.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius Accounting.

Pizu
Hi,

I need to forward the class which will reflect to a group not the actual
LDAP-Group.

The firewall is expecting the Radius Accounting-Start attribute.

Example:
Acct-Status-Type=Start,Framed-Ip-Address=10.0.0.1,User-Name=user.name
,Acct-Session-Id=0211a4ef,Class=usergroup1,Calling-Station-Id=00-0c-29-44-BE-B8

I hope I explained better now.

Regards,

Pizu


On Wed, 7 Apr 2021 at 19:20, Alan DeKok <[hidden email]> wrote:

> On Apr 7, 2021, at 1:15 PM, Pizu <[hidden email]> wrote:
> > What I mean with LDAP-Group is I need to forward the group name that is
> > assigned to the user towards the firewall (accounting) in order for the
> > firewall to open the access that is assigned. RSSO
>
>   So read the firewall documentation to see which attribute it needs.
>
>   I can guarantee you that it's not LDAP-Group.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius Accounting.

Pizu
hmm.. something like: Class := "%{Group}" - correct?

Regards,

Pizu


On Wed, 7 Apr 2021 at 19:44, Pizu <[hidden email]> wrote:

> Hi,
>
> I need to forward the class which will reflect to a group not the actual
> LDAP-Group.
>
> The firewall is expecting the Radius Accounting-Start attribute.
>
> Example:
> Acct-Status-Type=Start,Framed-Ip-Address=10.0.0.1,User-Name=user.name
> ,Acct-Session-Id=0211a4ef,Class=usergroup1,Calling-Station-Id=00-0c-29-44-BE-B8
>
> I hope I explained better now.
>
> Regards,
>
> Pizu
>
>
> On Wed, 7 Apr 2021 at 19:20, Alan DeKok <[hidden email]> wrote:
>
>> On Apr 7, 2021, at 1:15 PM, Pizu <[hidden email]> wrote:
>> > What I mean with LDAP-Group is I need to forward the group name that is
>> > assigned to the user towards the firewall (accounting) in order for the
>> > firewall to open the access that is assigned. RSSO
>>
>>   So read the firewall documentation to see which attribute it needs.
>>
>>   I can guarantee you that it's not LDAP-Group.
>>
>>   Alan DeKok.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius Accounting.

Pizu
Sorted :)

Regards,

Pizu


On Wed, 7 Apr 2021 at 19:58, Pizu <[hidden email]> wrote:

> hmm.. something like: Class := "%{Group}" - correct?
>
> Regards,
>
> Pizu
>
>
> On Wed, 7 Apr 2021 at 19:44, Pizu <[hidden email]> wrote:
>
>> Hi,
>>
>> I need to forward the class which will reflect to a group not the actual
>> LDAP-Group.
>>
>> The firewall is expecting the Radius Accounting-Start attribute.
>>
>> Example:
>> Acct-Status-Type=Start,Framed-Ip-Address=10.0.0.1,User-Name=user.name
>> ,Acct-Session-Id=0211a4ef,Class=usergroup1,Calling-Station-Id=00-0c-29-44-BE-B8
>>
>> I hope I explained better now.
>>
>> Regards,
>>
>> Pizu
>>
>>
>> On Wed, 7 Apr 2021 at 19:20, Alan DeKok <[hidden email]>
>> wrote:
>>
>>> On Apr 7, 2021, at 1:15 PM, Pizu <[hidden email]> wrote:
>>> > What I mean with LDAP-Group is I need to forward the group name that is
>>> > assigned to the user towards the firewall (accounting) in order for the
>>> > firewall to open the access that is assigned. RSSO
>>>
>>>   So read the firewall documentation to see which attribute it needs.
>>>
>>>   I can guarantee you that it's not LDAP-Group.
>>>
>>>   Alan DeKok.
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>
>>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius Accounting.

Linux Threads
In reply to this post by Pizu
HI Pizu,

you mind sharing what you did to get this sorted?

Regards

> Sorted :)
>
> Regards,
>
> Pizu


On Wed, 7 Apr 2021 at 19:58, Pizu <pizpower at gmail.com> wrote:

> hmm.. something like: Class := "%{Group}" - correct?
>
> Regards,
>
> Pizu
>
>
> On Wed, 7 Apr 2021 at 19:44, Pizu <pizpower at gmail.com> wrote:
>
>> Hi,
>>
>> I need to forward the class which will reflect to a group not the
actual
>> LDAP-Group.
>>
>> The firewall is expecting the Radius Accounting-Start attribute.
>>
>> Example:
>> Acct-Status-Type=Start,Framed-Ip-Address=10.0.0.1,User-
Name=user.name
>> ,Acct-Session-Id=0211a4ef,Class=usergroup1,Calling-Station-Id=00-0c-
29-44-BE-B8
>>
>> I hope I explained better now.
>>
>> Regards,
>>
>> Pizu
>>
>>
>> On Wed, 7 Apr 2021 at 19:20, Alan DeKok <aland at
deployingradius.com>
>> wrote:
>>
>>> On Apr 7, 2021, at 1:15 PM, Pizu <pizpower at gmail.com> wrote:
>>> > What I mean with LDAP-Group is I need to forward the group name
that is
>>> > assigned to the user towards the firewall (accounting) in order
for the
>>> > firewall to open the access that is assigned. RSSO
>>>
>>>   So read the firewall documentation to see which attribute it
needs.

>>>
>>>   I can guarantee you that it's not LDAP-Group.
>>>
>>>   Alan DeKok.
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>
>>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius Accounting.

Pizu
Hi,

Yes sure.. I am using unlang in post-auth.

                elsif (LDAP-Group == "AD - Group - 1") {
                        update reply {
                                Tunnel-Type := "VLAN"
                                Tunnel-Medium-Type := "IEEE-802"
                                Tunnel-Private-Group-Id := "943"
                                Class := "AD-Group-1"
                        }
                }
                elsif (LDAP-Group == " AD - Group - 2") {
                        update reply {
                                Tunnel-Type := "VLAN"
                                Tunnel-Medium-Type := "IEEE-802"
                                Tunnel-Private-Group-Id := "943"
                                Class := "AD-Group-2 "
                        }
                }
                else {
                        update reply {
                                Tunnel-Type := "VLAN"
                                Tunnel-Medium-Type := "IEEE-802"
                                Tunnel-Private-Group-Id := "200"
                        }
                }

The class is the Group assigned on the firewall. like this i am matching an
AD group, assign the vlan with the 802.1x auth then send the group towards
the firewall and open the access according to the group.


Regards,

Pizu


On Wed, 7 Apr 2021 at 20:42, Linux Threads <[hidden email]> wrote:

> HI Pizu,
>
> you mind sharing what you did to get this sorted?
>
> Regards
>
> > Sorted :)
> >
> > Regards,
> >
> > Pizu
>
>
> On Wed, 7 Apr 2021 at 19:58, Pizu <pizpower at gmail.com> wrote:
>
> > hmm.. something like: Class := "%{Group}" - correct?
> >
> > Regards,
> >
> > Pizu
> >
> >
> > On Wed, 7 Apr 2021 at 19:44, Pizu <pizpower at gmail.com> wrote:
> >
> >> Hi,
> >>
> >> I need to forward the class which will reflect to a group not the
> actual
> >> LDAP-Group.
> >>
> >> The firewall is expecting the Radius Accounting-Start attribute.
> >>
> >> Example:
> >> Acct-Status-Type=Start,Framed-Ip-Address=10.0.0.1,User-
> Name=user.name
> >> ,Acct-Session-Id=0211a4ef,Class=usergroup1,Calling-Station-Id=00-0c-
> 29-44-BE-B8
> >>
> >> I hope I explained better now.
> >>
> >> Regards,
> >>
> >> Pizu
> >>
> >>
> >> On Wed, 7 Apr 2021 at 19:20, Alan DeKok <aland at
> deployingradius.com>
> >> wrote:
> >>
> >>> On Apr 7, 2021, at 1:15 PM, Pizu <pizpower at gmail.com> wrote:
> >>> > What I mean with LDAP-Group is I need to forward the group name
> that is
> >>> > assigned to the user towards the firewall (accounting) in order
> for the
> >>> > firewall to open the access that is assigned. RSSO
> >>>
> >>>   So read the firewall documentation to see which attribute it
> needs.
> >>>
> >>>   I can guarantee you that it's not LDAP-Group.
> >>>
> >>>   Alan DeKok.
> >>>
> >>> -
> >>> List info/subscribe/unsubscribe? See
> >>> http://www.freeradius.org/list/users.html
> >>
> >>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html