Hi Guys, Hope you are well. I never installed/used free radius before however I'm tasked to assess its Rest API capabilities and see whether following 802.1.x use case is workable. - Controller asks FreeRadius to block a specific IP address via API; - FreeRadius finds who owns that IP from authenticated user list; - FreeRadius sends Radius CoA to 802.1x authenticator (Switch) a. to reset user session (reject user authentication at next attempt or put user into default vlan) b. to reset user session and put user into a quarantine vlan X - Controller ask FreeRadius to unblock (release) a specific IP address via API. a. same as above but in reverse order b. same as above but in reverse order. Many thanks for your support in advance. Cheers Matt
On Feb 1, 2018, at 1:03 PM, Tunc Gunergun <tgunergun@gmail.com> wrote:
I never installed/used free radius before however I'm tasked to assess its Rest API capabilities and see whether following 802.1.x use case is workable.
FreeRADIUS implements RADIUS. It doesn't implement a REST API. It can *call* a REST API. But if you want a REST server, you'll need to install a web server.
- Controller asks FreeRadius to block a specific IP address via API;
No. FreeRADIUS is a RADIUS server. You can't query it via an API. All of the bulk data in FreeRADIUS is stored in databases. If you want to update IPs, users, etc, then put them into a database. And just use normal database calls to write to the database.
- FreeRadius finds who owns that IP from authenticated user list;
This is a job for a database. Your application needs to query a database to find this information.
- FreeRadius sends Radius CoA to 802.1x authenticator (Switch)
Your application can use "radclient" to send CoA packets.
a. to reset user session (reject user authentication at next attempt or put user into default plan)
You need to mark up the database so that the user is rejected on their next authentication attempt.
b. to reset user session and put user into a quarantine vlan X - Controller ask FreeRadius to unblock (release) a specific IP address via API.
Again, you need to put this information into a database. Then, just write to the database. Alan DeKok.
Tunc Gunergun <tgunergun@gmail.com> wrote:
I never installed/used free radius before however I'm tasked to assess its Rest API capabilities and see whether following 802.1.x use case is workable.
TLDR, you can glue such a thing together, but it doesn't come pre-assembled. FreeRADIUS is only one (albeit essential) part of a NAC, and what you are asking for is a dynamic-authorization NAC. An Opensource example of a NAC is PacketFence.
- Controller asks FreeRadius to block a specific IP address via API;
In general FreeRADIUS is meant to respond to RADIUS requests. There are control APIs but most of the "REST" work is on the FreeRADIUS-as-a-REST-client side (rlm_rest). I dunno if I missed anyone writing REST control interfaces though.
- FreeRadius finds who owns that IP from authenticated user list;
RADIUS authenticates before IP addresses are known. If (and only if) you configure accounting on your NAS units and your NAS units do accounting well and can sniff DHCP, FreeRADIUS will be informed of the IP address after authentication. You would need to configure FreeRADIUS to store this information in an external database, along with the Session-ID, MAC address, NAS IP, and port. Then you would have a resource FreeRADIUS could use to find a host by IP.
- FreeRadius sends Radius CoA to 802.1x authenticator (Switch) a. to reset user session (reject user authentication at next attempt or put user into default vlan) b. to reset user session and put user into a quarantine vlan X
There are two options here. You can ask FreeRADIUS to send CoA or Disconnects, but to do so FreeRADIUS will need to have an up-to-date list of the IP addresses of all your NAS units. You can also just send the CoA directly via a shell script or whatnot, in which case you do not need to keep your list of NAS units up to date and can use a wildcard to permit NAS units to use FreeRADIUS. You can even do this from an entirely different box and also edit the database FreeRADIUS is using to decide whether to auth a user or not via whatever API the database presents.
- Controller ask FreeRadius to unblock (release) a specific IP address via API. a. same as above but in reverse order b. same as above but in reverse order.
Just a special case of the above. Gluing all of this together is some effort. Products like PacketFence and its commercial competitors do a lot of that for you (but also often come with some rather arbitrary restrictions or strings attached and some products can end up being as hard to set up as it is to just do it the "hard" way.)
participants (3)
-
Alan DeKok -
Brian Julin -
Tunc Gunergun