Working with data used at authentication time during accounting

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

Working with data used at authentication time during accounting

Marki
Hello,

During authentication/authorization Radius queries our backend for
validity of the user (exec modules), which return several response
attributes to Radius and in consequence to the NAS.

Now, if possible, I would like to re-use some of that information at
accounting stage. The thing is that I'm proxying the NAS' accounting
packets to another firewall for SSO access, which also requires that
information. The NAS doesn't remember the custom attributes from
authentication response and doesn't include them in the accounting
request. Probably, it doesn't have or need to. Still, I have to add them
back in somehow .

Of course I could just ask the backend again, to obtain the same
information, but maybe it's possible without that. Less scripts, you know.

Maybe there's no magic here which I'll gladly accept. :) I thought that
since the server seems to know during challenge-response at
authentication time which session is which, there may be a way here too.
Don't hang me if that's not the case and these things are unrelated.

I see that the NAS transmits an audit-session-id which is identical in
both the authentication and accounting packets. Maybe I could leverage
that. But still both worlds (authentication/accounting) would somehow
need to share some data.

Thanks,
Marki

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Working with data used at authentication time during accounting

Alan DeKok-2
On Mar 15, 2021, at 4:16 PM, Marki <[hidden email]> wrote:
> During authentication/authorization Radius queries our backend for validity of the user (exec modules),

  That can be slow.  But if it works...

> which return several response attributes to Radius and in consequence to the NAS.
>
> Now, if possible, I would like to re-use some of that information at accounting stage. The thing is that I'm proxying the NAS' accounting packets to another firewall for SSO access, which also requires that information. The NAS doesn't remember the custom attributes from authentication response and doesn't include them in the accounting request. Probably, it doesn't have or need to. Still, I have to add them back in somehow .

  Use the "Class" attribute.   You send it in the Access-Accept, and the NAS is supposed to include it in the Accounting-Request packets for that session.

> Maybe there's no magic here which I'll gladly accept. :) I thought that since the server seems to know during challenge-response at authentication time which session is which, there may be a way here too. Don't hang me if that's not the case and these things are unrelated.

  They are largely unrelated.  :(

> I see that the NAS transmits an audit-session-id which is identical in both the authentication and accounting packets. Maybe I could leverage that. But still both worlds (authentication/accounting) would somehow need to share some data.

  I presume you mean "Acct-Session-Id".  And if the NAS sends that in Access-Request packets, that's very good.  It means you can leverage that.

  The way to share data is in a database, or a local cache.  You can use the "cache" module for this.  It's a little opaque, but it does the job.  The idea is:

* set up an in-memory cache (rbtree)
* update mods-available/cache with the list of attributes you want to cache
* in post-auth, set &control:Cache-Merge = yes, and run the "cache" module
* in "preacct", set &control:Cache-Read-Only = yes, and run the "cache" module

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Working with data used at authentication time during accounting

Marki
On 3/15/2021 10:17 PM, Alan DeKok wrote:
>
>> Now, if possible, I would like to re-use some of that information at accounting stage. The thing is that I'm proxying the NAS' accounting packets to another firewall for SSO access, which also requires that information. The NAS doesn't remember the custom attributes from authentication response and doesn't include them in the accounting request. Probably, it doesn't have or need to. Still, I have to add them back in somehow .
>    Use the "Class" attribute.   You send it in the Access-Accept, and the NAS is supposed to include it in the Accounting-Request packets for that session.

That was the missing link, thank you very much. It is good to see that
there can even be more than one Class attribute :)

Like this we can even configure the NAS (Cisco) Accounting features to
directly contact the firewall (Fortigate) in order to establish the
firewall policies (RSSO) without any proxying through the Radius server...

>
>> I see that the NAS transmits an audit-session-id which is identical in both the authentication and accounting packets. Maybe I could leverage that. But still both worlds (authentication/accounting) would somehow need to share some data.
>    I presume you mean "Acct-Session-Id".  And if the NAS sends that in Access-Request packets, that's very good.  It means you can leverage that.
There is both. There is an Acct-Session-Id but it's only present in the
accounting packets unfortunately. "audit-session-id" seems to be a
vendor-specific attribute (Cisco) and it's present both in
Access-Request and Accounting-Request.

Thanks again,
Marki

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html