LDAP attribute update for clients
Hi! Is it possible to configure FR to write the last authentication attempt from a client (NAS) to LDAP? For users I can set this: https://bitbucket.org/code-orange/django-cdstack-tpl-accessradius/src/cad140... Is there something similar for the clients? I'm interested in the same attribute update to see which clients are dead. Thank you. Kind regards Kevin
On Feb 22, 2021, at 9:24 AM, DEV <dev@dolphin-dev.com> wrote:
Is it possible to configure FR to write the last authentication attempt from a client (NAS) to LDAP?
Update post-auth with an LDAP query.
For users I can set this: https://bitbucket.org/code-orange/django-cdstack-tpl-accessradius/src/cad140...
Is there something similar for the clients? I'm interested in the same attribute update to see which clients are dead.
I'm not sure what you're asking here. The processing sections are run when the server receives a packet. i.e. Access-Request gets processed through authorize, authenticate, post-auth. There's no concept of "user" versus "client" here. It's just a packet with src/dst IP, and various contents. So if you want to update LDAP when FreeRADIUS receives a packet, just write things in "authorize" to update LDAP. It's not more complicated than that. The main issue here is that LDAP is intended to be read-many, write-rarely. So doing LDAP writes on every packet received will likely cause issues. But... if you want to see which clients are dead, see sites-available/control, and the "radmin" command. You can ask the server about a particular client, and it will tell you when the server last received a packet from that client. Alan DeKok.
Hi Alan, thank you. My definition of client is the NAS. There is no control site, did you mean this? https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/sites-avai... I need to write to LDAP, as I need to make this information available this way. As the number of requests is low, this is not an issue. For authentication, the request in FR has two kinds of credentials: 1) the enduser when signing into a service like PPP 2) the NAS credentials (shared secret) to connect to the radius server Case 1 is already working, for case 2 I don't know which section it is (or if it's possible at all). As I did not use Radmin before (as I did not need it before), I assume from your explanation that it shows the data ("NAS last seen") - I just need it to write it back to the LDAP object, just like 1 does. Is there a "post-auth update" equivalent for NAS? Thank you! Kind regards Kevin ________________________________________ Von: Freeradius-Users <freeradius-users-bounces+dev=dolphin-dev.com@lists.freeradius.org> im Auftrag von Alan DeKok <aland@deployingradius.com> Gesendet: Montag, 22. Februar 2021 16:38 An: FreeRadius users mailing list Betreff: Re: LDAP attribute update for clients On Feb 22, 2021, at 9:24 AM, DEV <dev@dolphin-dev.com> wrote:
Is it possible to configure FR to write the last authentication attempt from a client (NAS) to LDAP?
Update post-auth with an LDAP query.
For users I can set this: https://bitbucket.org/code-orange/django-cdstack-tpl-accessradius/src/cad140...
Is there something similar for the clients? I'm interested in the same attribute update to see which clients are dead.
I'm not sure what you're asking here. The processing sections are run when the server receives a packet. i.e. Access-Request gets processed through authorize, authenticate, post-auth. There's no concept of "user" versus "client" here. It's just a packet with src/dst IP, and various contents. So if you want to update LDAP when FreeRADIUS receives a packet, just write things in "authorize" to update LDAP. It's not more complicated than that. The main issue here is that LDAP is intended to be read-many, write-rarely. So doing LDAP writes on every packet received will likely cause issues. But... if you want to see which clients are dead, see sites-available/control, and the "radmin" command. You can ask the server about a particular client, and it will tell you when the server last received a packet from that client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 22, 2021, at 11:24 AM, DEV <dev@dolphin-dev.com> wrote:
There is no control site, did you mean this? https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/sites-avai...
Yes.
I need to write to LDAP, as I need to make this information available this way. As the number of requests is low, this is not an issue.
OK.
For authentication, the request in FR has two kinds of credentials: 1) the enduser when signing into a service like PPP 2) the NAS credentials (shared secret) to connect to the radius server
Case 1 is already working, for case 2 I don't know which section it is (or if it's possible at all).
As I said... the server processes packets. I described how it does that.
As I did not use Radmin before (as I did not need it before), I assume from your explanation that it shows the data ("NAS last seen") - I just need it to write it back to the LDAP object, just like 1 does.
Is there a "post-auth update" equivalent for NAS?
No. I explained how the server processes packets. Please understand that's how the server works. If you want it to do something else, then refer back to how it actually works. Alan DeKok.
participants (2)
-
Alan DeKok -
DEV