Freeradius 3.x - CoA proxy and dynamic-client

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

Freeradius 3.x - CoA proxy and dynamic-client

Alex-4
Hi everyone,

I'm trying to solve a litte issue with my freeradius scenario.

My scenario is like this


Client ----- proxy (FR 3.x) ------ AAA (FR 3.x)

                          |----------------- COA generator (Java)


So, I have a proxy frontend with dynamc-clients virtualserver wich forwards
the authentication and accounting requests to the backend via realm module.
this is working like a charm.

I would like to use also coa requests to the client. this requests are
generated by a java software, then they should be proxied by the frontend
and forwarded to the client.

from my understanding the realm module needs a static client definition to
proxy the coa requests, but this is not applicable to my scenario.

so now I'm trying to find some kind of workaround, but i'm not able to find
any documentation on known pattern on the documentation.


is someone facing the same problem or had solved it in the past?



thank you and best regards!

Alex
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius 3.x - CoA proxy and dynamic-client

Alan DeKok-2
On Sep 1, 2020, at 7:50 AM, Alex <[hidden email]> wrote:

> My scenario is like this
>
>
> Client ----- proxy (FR 3.x) ------ AAA (FR 3.x)
>
>                          |----------------- COA generator (Java)
>
>
> So, I have a proxy frontend with dynamc-clients virtualserver wich forwards
> the authentication and accounting requests to the backend via realm module.
> this is working like a charm.

  That's good.

> I would like to use also coa requests to the client. this requests are
> generated by a java software, then they should be proxied by the frontend
> and forwarded to the client.

  Why?  Why not just send them directly to the client?

  The client only knows that the packet came from the IP of the proxy, and has the correct shared secret.  The client doesn't know that the packet was sent by FreeRADIUS, or by a separate application.

> from my understanding the realm module needs a static client definition to
> proxy the coa requests, but this is not applicable to my scenario.

  v3 doesn't support dynamic home servers.

> so now I'm trying to find some kind of workaround, but i'm not able to find
> any documentation on known pattern on the documentation.
>
> is someone facing the same problem or had solved it in the past?

  Just use "radclient" to send packets directly to the client.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius 3.x - CoA proxy and dynamic-client

Alex-4
Il giorno mar 1 set 2020 alle ore 13:57 Alan DeKok <
[hidden email]> ha scritto:

> On Sep 1, 2020, at 7:50 AM, Alex <[hidden email]> wrote:
> > My scenario is like this
> >
> >
> > Client ----- proxy (FR 3.x) ------ AAA (FR 3.x)
> >
> >                          |----------------- COA generator (Java)
> >
> >
> > So, I have a proxy frontend with dynamc-clients virtualserver wich
> forwards
> > the authentication and accounting requests to the backend via realm
> module.
> > this is working like a charm.
>
>   That's good.
>
> > I would like to use also coa requests to the client. this requests are
> > generated by a java software, then they should be proxied by the frontend
> > and forwarded to the client.
>
>   Why?  Why not just send them directly to the client?
>
>   The client only knows that the packet came from the IP of the proxy, and
> has the correct shared secret.  The client doesn't know that the packet was
> sent by FreeRADIUS, or by a separate application.
>

the java module is outside the network. the network is segmented, so java
module cannot talk directly to the clients. it's also a requirement to
preserve it.


> > from my understanding the realm module needs a static client definition
> to
> > proxy the coa requests, but this is not applicable to my scenario.
>
>   v3 doesn't support dynamic home servers.
>

are they supported in version 2? i can change the fronted version as i like.


>
> > so now I'm trying to find some kind of workaround, but i'm not able to
> find
> > any documentation on known pattern on the documentation.
> >
> > is someone facing the same problem or had solved it in the past?
>
>   Just use "radclient" to send packets directly to the client.
>
>   Alan DeKok


thank you and best regards
Alex
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius 3.x - CoA proxy and dynamic-client

Alan DeKok-2
On Sep 1, 2020, at 8:04 AM, Alex <[hidden email]> wrote:
> the java module is outside the network. the network is segmented, so java
> module cannot talk directly to the clients. it's also a requirement to
> preserve it.

  So have the Java system talk to something on the FreeRADIUS server.  It doesn't have to be RADIUS.

  If you insist on RADIUS, then have the Java system send CoA packets to FreeRADIUS.  Those packets can contain the "real" IP of the client.  You can then make FreeRADIUS run radclient, via "exec"

  See the exec module for details.  You'll want to configure it so that it does *not* wait for a response from the client.

>>  v3 doesn't support dynamic home servers.
>>
> are they supported in version 2? i can change the fronted version as i like.

  No, they're not supported in v2 either.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html