radius CoA client for PPTP box
I am currently trying to implement radius CoA on a NAS client using freeradius to handle the listening of inbound packets. I need to add a feature to change the shaping policy on the fly from our radius system to each existing NAS. Freeradius appears to employ a nice framework to accomplish this such as PPTP/PPPOE servers for an ISP environment. I originally started out with a PHP socket program that listened on port 3799 - it worked but has compatibility issues with older php4 systems that I must still support. I am not trying to proxy anything, just straight listen for packets, send the attributes to a secondary program and change rate shaping or disconnect users on the fly. I have no problems sending requests from my radius server to the NAS hosting the radius CoA listener on port 3799. RADIUS AUTH/ACCT SERVER - > SEND REQUEST ON PORT 3799 Radclient call - echo "User-Name = test, Framed-IP-Address=198.204.209.33, NAS-Port=382" | radclient -x 198.204.208.XX:3799 coa mypass What I need is in the recv-coa section to allow me to send a remote command using exec. So far nothing has worked for me. I've dug around in the documentation all day without anything working. I'm validating the php script runs by touching a filesystem command and running the daemon in debug mode from the command line to see the output. But the php is never called. ----------------snippet from radiusd.conf server coa { # When a packet is received, it is processed through the # recv-coa section. This applies to *both* CoA-Request and # Disconnect-Request packets. recv-coa { # CoA && Disconnect packets can be proxied in the same # way as authentication or accounting packets. # Just set Proxy-To-Realm, or Home-Server-Pool, and the # packets will be proxied. # Insert your own policies here. update control { Auth-Type:=`/usr/bin/php /usr/local/bin/radius_coa.php %{User-Name}` } ok } } ----------------------- Here is the output I have .. successfully getting data into freeradius NAS from central radius... radiusd -X ... adding new socket proxy address * port 53450 Listening on coa address * port 3799 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1151 Ready to process requests. rad_recv: CoA-Request packet from host 198.204.208.XX port 39238, id=55, length=38 User-Name = "test" Framed-IP-Address = 198.204.209.33 NAS-Port = 382 WARNING: Empty recv-coa section. Using default return values. WARNING: Empty send-coa section. Using default return values. Sending CoA-ACK of id 55 to 198.204.208.XX port 39238 Finished request 0. Going to the next request Cleaning up request 0 ID 55 with timestamp +23 Ready to process requests. ------------------------------------------------------ I am sure this is something simple to fix. Thanks Brock Eastman VP Engineering DigitalPath, Inc
On Sep 23, 2015, at 7:35 PM, Brock Eastman <brock@corp.digitalpath.net> wrote:
I am not trying to proxy anything, just straight listen for packets, send the attributes to a secondary program and change rate shaping or disconnect users on the fly.
See the "exec" module. You can run a program, and control which attributes it gets. See also "man unlang". It documents how to run programs via back-ticks.
recv-coa { ... update control {
Auth-Type:=`/usr/bin/php /usr/local/bin/radius_coa.php %{User-Name}`
Uh... why? These are CoA packets. There's no Auth-Type
radiusd -X ... rad_recv: CoA-Request packet from host 198.204.208.XX port 39238, id=55, length=38
User-Name = "test"
Framed-IP-Address = 198.204.209.33
NAS-Port = 382
WARNING: Empty recv-coa section. Using default return values.
WARNING: Empty send-coa section. Using default return values.
It's not using the virtual server you edited. So... fix that. See the file raddb/sites-available/coa. This is documented. Alan DeKok.
I was able to get this to work. The confusing portion of the sites-available/coa file has an entire new server section. I kept getting the warning about not having a populated recv-coa section. You just need to add this if you want a NAS only server to recv requests. Just populate your clients.conf section with the correct attributes from your main radius box that will be sending requests and then add this for simple recv-coa php script at the bottom of your radiusd.conf file. recv-coa { `/usr/bin/php /usr/local/bin/radius_coa.php %{User-Name} %{NAS-Port} %{NAS-IP-Address} %{Framed-IP-Address}` ok } Then just parse the argument list in php with argv and you're good to go. Brock -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+brock=corp.digitalpath.net@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, September 24, 2015 6:46 AM To: FreeRadius users mailing list Subject: Re: radius CoA client for PPTP box On Sep 23, 2015, at 7:35 PM, Brock Eastman <brock@corp.digitalpath.net> wrote:
I am not trying to proxy anything, just straight listen for packets, send the attributes to a secondary program and change rate shaping or disconnect users on the fly.
See the "exec" module. You can run a program, and control which attributes it gets. See also "man unlang". It documents how to run programs via back-ticks.
recv-coa { ... update control {
Auth-Type:=`/usr/bin/php /usr/local/bin/radius_coa.php %{User-Name}`
Uh... why? These are CoA packets. There's no Auth-Type
radiusd -X ... rad_recv: CoA-Request packet from host 198.204.208.XX port 39238, id=55, length=38
User-Name = "test"
Framed-IP-Address = 198.204.209.33
NAS-Port = 382
WARNING: Empty recv-coa section. Using default return values.
WARNING: Empty send-coa section. Using default return values.
It's not using the virtual server you edited. So... fix that. See the file raddb/sites-available/coa. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Oct 6, 2015, at 8:30 PM, Brock Eastman <brock@corp.digitalpath.net> wrote:
I was able to get this to work.
The confusing portion of the sites-available/coa file has an entire new server section.
That shouldn't be confusing. Each logical "function" is a new virtual server. That's how the *entire server* works.
I kept getting the warning about not having a populated recv-coa section.
Because it's needed when receiving CoA packets.
You just need to add this if you want a NAS only server to recv requests.
I have no idea what that means.
Just populate your clients.conf section with the correct attributes from your main radius box that will be sending requests
I have no idea what that means. I think your advice here is confused at best, and possibly misleading. Alan DeKok.
participants (2)
-
Alan DeKok -
Brock Eastman