Replicate FreeRADIUS responses to a another host

Daniel Finger df at ewetel.de
Tue Mar 5 14:04:59 CET 2019


Hi!

I need to replicate Access-Accept, Access-Reject and Accounting-Request and 
Accounting-Response tickets to another system for lawful interception.
Actually I need to add some other attributes, but this can all be done in 
unlang and is already working.

I wanted to use rlm_replicate for this, but it did not replicate the response.

I created a patch for rlm_replicate:
- using the module in Post-Auth will replicate the response.
- use the original request->packet->id that the response matches the request
- when replicating an accounting-request, send a response right away (is 
there a better way  without changing the current behaviour?)

Is it possible to have this functionality included?

--- rlm_replicate.c 2019-02-25 22:41:30.000000000 +0100
+++ rlm_replicate.c 2019-03-05 11:46:41.000000000 +0100
@@ -87,12 +87,21 @@ static int replicate_packet(UNUSED void
         case PW_CODE_ACCESS_REQUEST:
             pool = realm->auth_pool;
             break;
+       case PW_CODE_ACCESS_ACCEPT:
+               pool = realm->auth_pool;
+               break;
+       case PW_CODE_ACCESS_REJECT:
+           pool = realm->auth_pool;
+           break;

  #ifdef WITH_ACCOUNTING

         case PW_CODE_ACCOUNTING_REQUEST:
             pool = realm->acct_pool;
             break;
+       case PW_CODE_ACCOUNTING_RESPONSE:
+           pool = realm->acct_pool;
+           break;
  #endif

  #ifdef WITH_COA
@@ -125,7 +134,7 @@ static int replicate_packet(UNUSED void
             }

             packet->code = code;
-           packet->id = fr_rand() & 0xff;
+           packet->id = request->packet->id;
             packet->sockfd = fr_socket(&home->src_ipaddr, 0);
             if (packet->sockfd < 0) {
                 REDEBUG("Failed opening socket: %s", fr_strerror());
@@ -191,11 +200,18 @@ static int replicate_packet(UNUSED void
          */
         RDEBUG("Replicating list '%s' to Realm '%s'", 
fr_int2str(pair_lists, list, "<INVALID>"),
                realm->name);
-       if (rad_send(packet, NULL, home->secret) < 0) {
+       if (rad_send(packet, request->packet, home->secret) < 0) {
             REDEBUG("Failed replicating packet: %s", fr_strerror());
             rcode = RLM_MODULE_FAIL;
             goto done;
         }
+       if (code == PW_CODE_ACCOUNTING_REQUEST) {
+           rcode = replicate_packet(instance, request, PAIR_LIST_REPLY, 
PW_CODE_ACCOUNTING_RESPONSE);
+           if (rcode != RLM_MODULE_OK) {
+               goto done;
+           }
+
+       }

         /*
          *  We've sent it to at least one destination.
@@ -224,6 +240,11 @@ static rlm_rcode_t CC_HINT(nonnull) mod_
     return replicate_packet(instance, request, PAIR_LIST_REQUEST, 
request->packet->code);
  }

+static rlm_rcode_t CC_HINT(nonnull) mod_post_auth(void *instance, REQUEST 
*request)
+{
+   return replicate_packet(instance, request, PAIR_LIST_REPLY, 
request->reply->code);
+}
+
  static rlm_rcode_t CC_HINT(nonnull) mod_accounting(void *instance, REQUEST 
*request)
  {
     return replicate_packet(instance, request, PAIR_LIST_REQUEST, 
request->packet->code);
@@ -264,6 +285,7 @@ module_t rlm_replicate = {
     .type       = RLM_TYPE_THREAD_SAFE,
     .methods = {
         [MOD_AUTHORIZE]     = mod_authorize,
+       [MOD_POST_AUTH]     = mod_post_auth,
         [MOD_ACCOUNTING]    = mod_accounting,
         [MOD_PREACCT]       = mod_preaccounting,
  #ifdef WITH_PROXY

-- 
Greetings
Daniel Finger

EWE TEL GmbH
Cloppenburger Straße 310
26133 Oldenburg
E-Mail: info at ewe.de
Internet: www.ewe.de

Handelsregister Amtsgericht Oldenburg HRB 3723
Aufsichtsratsvorsitzender: Michael Heidkamp
Geschäftsführer: Norbert Westfal (Sprecher), Sebastian Jurczyk, Ludwig 
Kohnen, Maximilian Oertle


More information about the Freeradius-Devel mailing list