CoA over inbound radsec session
Seeing from an old thread that currently CoA over radsec is possible for outbound radsec sessions from Freeradius, in order to do the same using existing inbound radsec tunnel, required some testing? By any chance, did that change, if it still requires testing, I can pick up the PR for testing and bring it back for review with tested results? Thanks Natarajan On 9/14/20, 4:06 PM, "Alan DeKok" <aland at deployingradius.com <http://lists.freeradius.org/mailman/listinfo/freeradius-users>> wrote: On Sep 14, 2020, at 8:58 AM, Vadim Cargatser (vcargats) via Freeradius-Users <freeradius-users at lists.freeradius.org <http://lists.freeradius.org/mailman/listinfo/freeradius-users>> wrote: > We'd like to trigger a CoA based on an external event. Is this possible? Not really. > There was a mail thread back in 2010 I was just wondering if something has been changed so far: > http://freeradius.1045715.n5.nabble.com/Freeradius-COA-trigger-td3204376.htm... FreeRADIUS isn't a web server, so it doesn't know that the admin clicked on something in a web UI. The only way to do this is via RADIUS. > I know the basic approach is to use radclient for that scenario. Unfortunately, radclient does not support TLS/RADSEC which is critical for us. > > In case this is not currently possible, can we just implement that? Say to allow getting external events for example from RabbitMQ? FreeRADIUS doesn't listen for events from RabbitMQ. That's hard to add. (Though in v4 it's likely a lot easier) The solution here is to use v3.0.x from GitHub, because earlier versions don't support CoA over TLS (oops). Then, use radclient to send packets to FreeRADIUS. FreeRADIUS can receive the packets from radclient, and then forward them over TLS to another server. See sites-available/coa-relay for an example. You just have to define a home_server which uses TLS for CoA. Note that the server can only send CoA packets over connections to home servers. i.e. connections where FreeRADIUS creates the outbound connection. CoA packets *cannot* be sent in the "reverse" path over TLS connections which the client made to FreeRADIUS. There is no standard for how this should work. I have patches, but they need testing. Alan DeKok.
On Jul 17, 2023, at 10:43 AM, Natarajan M <natarajan.m@gmail.com> wrote:
Seeing from an old thread that currently CoA over radsec is possible for outbound radsec sessions from Freeradius, in order to do the same using existing inbound radsec tunnel, required some testing? By any chance, did that change, if it still requires testing, I can pick up the PR for testing and bring it back for review with tested results?
It's all in the v3.2.x branch. You will have to rebuild from source. Edit the top Make.inc, and add a line anywhere: CFLAGS += -DWITH_COA_TUNNEL Then rebuild. You'll also have to configure the tunneled CoA feature. There isn't much documentation on it as it's still experimental. But if you look at the source code for COA_TUNNEL, you'll see the various configuration options and where they go. Alan DeKok.
participants (2)
-
Alan DeKok -
Natarajan M