API capabilities

Brian Julin BJulin at clarku.edu
Thu Feb 1 19:34:22 CET 2018 

Tunc Gunergun <tgunergun at gmail.com> wrote:
> I never installed/used free radius before however I'm tasked to assess
> its Rest API capabilities and see whether following 802.1.x use case
> is workable.

TLDR, you can glue such a thing together, but it doesn't come pre-assembled.
FreeRADIUS is only one (albeit essential) part of a NAC, and what you are
asking for is a dynamic-authorization NAC.  An Opensource example of a NAC
is PacketFence.

> - Controller asks FreeRadius to block a specific IP address via API;

In general FreeRADIUS is meant to respond to RADIUS requests.  There
are control APIs but most of the "REST" work is on the FreeRADIUS-as-a-REST-client
side (rlm_rest).  I dunno if I missed anyone writing REST control interfaces though.

> - FreeRadius finds who owns that IP from authenticated user list;

RADIUS authenticates before IP addresses are known.

If (and only if) you configure accounting on your NAS units and your NAS
units do accounting well and can sniff DHCP, FreeRADIUS will be informed
of the IP address after authentication.  You would need to configure FreeRADIUS
to store this information in an external database, along with the Session-ID,
MAC address, NAS IP, and port.  Then you would have a resource FreeRADIUS
could use to find a host by IP.

> - FreeRadius sends Radius CoA to 802.1x authenticator (Switch)
> a. to reset user session (reject user authentication at next attempt
> or put user into default vlan)
> b. to reset user session and put user into a quarantine vlan X

There are two options here.  You can ask FreeRADIUS to send CoA
or Disconnects, but to do so FreeRADIUS will need to have an up-to-date
list of the IP addresses of all your NAS units.

You can also just send the CoA directly via a shell script or whatnot,
in which case you do not need to keep your list of NAS units up to date
and can use a wildcard to permit NAS units to use FreeRADIUS.  You can
even do this from an entirely different box and also edit the database
FreeRADIUS is using to decide whether to auth a user or not via whatever
API the database presents.

> - Controller ask FreeRadius to unblock (release) a specific IP address via API.
> a. same as above but in reverse order
> b. same as above but in reverse order.

Just a special case of the above.

Gluing all of this together is some effort.  Products like PacketFence and its
commercial competitors do a lot of that for you (but also often come with
some rather arbitrary restrictions or strings attached and some products can
end up being as hard to set up as it is to just do it the "hard" way.)

More information about the Freeradius-Users mailing list