Is it possible to do Auth, Accounting and COA over single client initiated RADSEC session?
Dear FreeRadius users and developers. I'm working on a project where we need client devices to connect to our FreeRadius server over the internet using a single RADSEC connection that each client device would initiate. We would like all radius traffic to go over this single connection including Auth, Accounting, and COA messages. I have been working with the TLS configuration and see that it supports Auth+Acct only, and so far I have not figured out how to get COA messages to go back down the same connection. Is this already supported by FreeRadius, and how would I configure my server to support it? If this is not currently supported, is this a feature that is in consideration for future development? I would be thankful for any advice. Kind Regards Craig. --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com
On 26 Jun 2014, at 00:46, Smc Kms <smckms@cleverlittlebunny.com> wrote:
Dear FreeRadius users and developers.
I'm working on a project where we need client devices to connect to our FreeRadius server over the internet using a single RADSEC connection that each client device would initiate.
We would like all radius traffic to go over this single connection including Auth, Accounting, and COA messages.
Heh, that's kinda cool. So even behind NAT or over a WAN link with a dynamic connection you can still signal the NAS. I can definitely see the utility in that, but I don't think it's currently supported. You'd have to have internal routing within FreeRADIUS to send the CoA back out, I guess all clients with active connections would become CoA 'home servers'.
I have been working with the TLS configuration and see that it supports Auth+Acct only, and so far I have not figured out how to get COA messages to go back down the same connection. Is this already supported by FreeRadius, and how would I configure my server to support it?
If this is not currently supported, is this a feature that is in consideration for future development?
RFC6614 does not deal with this scenario, so no and probably no, unless you're willing to do the dev work. If you weren't hoping to take advantage of NAT traversal or the fact that the NAS was connecting inbound to FreeRADIUS, then you can just add the NAS as home servers in different realms, and establish an outbound TCP connection back to the NAS. You should be able to send CoA that way, though the code path probably hasn't been tested. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Heh, that's kinda cool. So even behind NAT or over a WAN link with a dynamic connection you can still signal the NAS. I can definitely see the utility in that, but I don't think it's currently supported. Yes Arran, you've hit the nail on the head, we don't want to have to muck around putting holes in firewalls to allow inbound connections. Having the device call out and having everything over the same session should resolve that.
If this is not currently supported, is this a feature that is in consideration for future development?
RFC6614 does not deal with this scenario, so no and probably no, unless you're willing to do the dev work.
I will be trying to implement the COA over RadSec so if I have any success with code changes, I will be in touch. Regards Craig. --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com
On 27 Jun 2014, at 03:01, Smc Kms <smckms@cleverlittlebunny.com> wrote:
Heh, that's kinda cool. So even behind NAT or over a WAN link with a dynamic connection you can still signal the NAS. I can definitely see the utility in that, but I don't think it's currently supported. Yes Arran, you've hit the nail on the head, we don't want to have to muck around putting holes in firewalls to allow inbound connections. Having the device call out and having everything over the same session should resolve that.
If this is not currently supported, is this a feature that is in consideration for future development?
RFC6614 does not deal with this scenario, so no and probably no, unless you're willing to do the dev work.
I will be trying to implement the COA over RadSec so if I have any success with code changes, I will be in touch.
Cool, if you have any questions, feel free to post to the dev list, or ping Alan and I and email off list. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Smc Kms wrote:
I have been working with the TLS configuration and see that it supports Auth+Acct only, and so far I have not figured out how to get COA messages to go back down the same connection.
It's not possible right now.
If this is not currently supported, is this a feature that is in consideration for future development?
Sure. It's probably not difficult. You would have to mark up the "home server" structure for CoA, to say "use available incoming TLS connections". In fact, the hardest part would be tracking the incoming TLS connections. Right now, the only place they're tracked is in the event loop which listens on the socket. There's no need to look them up anywhere, so the code doesn't do that. Alan DeKok.
On 2014-06-26 21:17, Alan DeKok wrote:
In fact, the hardest part would be tracking the incoming TLS connections. Right now, the only place they're tracked is in the event loop which listens on the socket. There's no need to look them up anywhere, so the code doesn't do that.
Thanks Alan. I will see if I can implement the functionality as you suggested. If I get something that looks reasonable, I'll be in touch to send a patch back. Regards Craig. --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
Smc Kms