LDAP attribute update for clients

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

LDAP attribute update for clients

DEV-3
Hi!

Is it possible to configure FR to write the last authentication attempt from a client (NAS) to LDAP?

For users I can set this:
https://bitbucket.org/code-orange/django-cdstack-tpl-accessradius/src/cad14059236673c2152ea4febf9181bab22248fb/django_cdstack_tpl_accessradius/templates/config-fs/static/etc/freeradius/mods-available/ldap#lines-57

Is there something similar for the clients? I'm interested in the same attribute update to see which clients are dead.

Thank you.

Kind regards
Kevin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: LDAP attribute update for clients

Alan DeKok-2
On Feb 22, 2021, at 9:24 AM, DEV <[hidden email]> wrote:
> Is it possible to configure FR to write the last authentication attempt from a client (NAS) to LDAP?

  Update post-auth with an LDAP query.

> For users I can set this:
> https://bitbucket.org/code-orange/django-cdstack-tpl-accessradius/src/cad14059236673c2152ea4febf9181bab22248fb/django_cdstack_tpl_accessradius/templates/config-fs/static/etc/freeradius/mods-available/ldap#lines-57
>
> Is there something similar for the clients? I'm interested in the same attribute update to see which clients are dead.

  I'm not sure what you're asking here.

  The processing sections are run when the server receives a packet.  i.e. Access-Request gets processed through authorize, authenticate, post-auth.  There's no concept of "user" versus "client" here.  It's just a packet with src/dst IP, and various contents.

  So if you want to update LDAP when FreeRADIUS receives a packet, just write things in "authorize" to update LDAP.  It's not more complicated than that.  The main issue here is that LDAP is intended to be read-many, write-rarely.  So doing LDAP writes on every packet received will likely cause issues.

  But... if you want to see which clients are dead, see sites-available/control, and the "radmin" command.  You can ask the server about a particular client, and it will tell you when the server last received a packet from that client.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

AW: LDAP attribute update for clients

DEV-3
Hi Alan,

thank you. My definition of client is the NAS.

There is no control site, did you mean this?
https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/sites-available/control-socket

I need to write to LDAP, as I need to make this information available this way. As the number of requests is low, this is not an issue.

For authentication, the request in FR has two kinds of credentials:
1) the enduser when signing into a service like PPP
2) the NAS credentials (shared secret) to connect to the radius server

Case 1 is already working, for case 2 I don't know which section it is (or if it's possible at all).

As I did not use Radmin before (as I did not need it before), I assume from your explanation that it shows the data ("NAS last seen") - I just need it to write it back to the LDAP object, just like 1 does.

Is there a "post-auth update" equivalent for NAS?

Thank you!

Kind regards
Kevin

________________________________________
Von: Freeradius-Users <freeradius-users-bounces+dev=[hidden email]> im Auftrag von Alan DeKok <[hidden email]>
Gesendet: Montag, 22. Februar 2021 16:38
An: FreeRadius users mailing list
Betreff: Re: LDAP attribute update for clients

On Feb 22, 2021, at 9:24 AM, DEV <[hidden email]> wrote:
> Is it possible to configure FR to write the last authentication attempt from a client (NAS) to LDAP?

  Update post-auth with an LDAP query.

> For users I can set this:
> https://bitbucket.org/code-orange/django-cdstack-tpl-accessradius/src/cad14059236673c2152ea4febf9181bab22248fb/django_cdstack_tpl_accessradius/templates/config-fs/static/etc/freeradius/mods-available/ldap#lines-57
>
> Is there something similar for the clients? I'm interested in the same attribute update to see which clients are dead.

  I'm not sure what you're asking here.

  The processing sections are run when the server receives a packet.  i.e. Access-Request gets processed through authorize, authenticate, post-auth.  There's no concept of "user" versus "client" here.  It's just a packet with src/dst IP, and various contents.

  So if you want to update LDAP when FreeRADIUS receives a packet, just write things in "authorize" to update LDAP.  It's not more complicated than that.  The main issue here is that LDAP is intended to be read-many, write-rarely.  So doing LDAP writes on every packet received will likely cause issues.

  But... if you want to see which clients are dead, see sites-available/control, and the "radmin" command.  You can ask the server about a particular client, and it will tell you when the server last received a packet from that client.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: LDAP attribute update for clients

Alan DeKok-2
On Feb 22, 2021, at 11:24 AM, DEV <[hidden email]> wrote:
> There is no control site, did you mean this?
> https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/sites-available/control-socket

  Yes.

> I need to write to LDAP, as I need to make this information available this way. As the number of requests is low, this is not an issue.

  OK.

> For authentication, the request in FR has two kinds of credentials:
> 1) the enduser when signing into a service like PPP
> 2) the NAS credentials (shared secret) to connect to the radius server
>
> Case 1 is already working, for case 2 I don't know which section it is (or if it's possible at all).

  As I said... the server processes packets.  I described how it does that.

> As I did not use Radmin before (as I did not need it before), I assume from your explanation that it shows the data ("NAS last seen") - I just need it to write it back to the LDAP object, just like 1 does.
>
> Is there a "post-auth update" equivalent for NAS?

  No.

  I explained how the server processes packets.  Please understand that's how the server works.  If you want it to do something else, then refer back to how it actually works.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html