Our solution is to provide lawful information, according to a Court request on user's activity on the net. In order to do that we need to intercept their AAA activity and the actual data activity. The problem we are having is to collect the AAA activity for Authentication. We have found the way to forward the accounting data from the RADIUS to our RADIUS proxy and so we are notified on Session Start and Session End, but we need also to be notified on any attempt of a user to authenticate through the RADIUS. Are you familiar with any solution to do that? Thanks in advance for your help, Dubi -----Original Message----- From: freeradius-users-bounces+dlego=allot.com@lists.freeradius.org [mailto:freeradius-users-bounces+dlego=allot.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, December 27, 2006 9:33 PM To: FreeRadius users mailing list Subject: Re: proxy authentication Dubi Lego wrote:
I will clarify my question. Is it possible to forward all AAA messages including replies to another server which will only listen to messages and won't be active.
The short answer is that RADIUS doesn't do that. I'm not aware of *any* server, WWW, FTP, DNS, or otherwise that can do this. What you can do is to log all of the requests & responses to a "detail" file, and then copy that file somewhere else. Perhaps you might try explaining *why* you want this solution. What problem are you trying to solve? Why do you believe that this solution is the best one for the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dubi Lego wrote:
we need also to be notified on any attempt of a user to authenticate through the RADIUS.
Are you familiar with any solution to do that?
Thanks in advance for your help,
Dubi
You could create a script that logs any authentication attempts to a file/table, and execute the script via exec during authentication. I do something similar to log failed/unsuccessful login attempts. HTH Patric ---------------------------------------------------------------------- Earn Your Teaching Degree Online Become a teacher with our elite online program. Get free info today! http://tags.bluebottle.com/fc/BgLEQfJD3qPBoOCHP71Qh0lX26WfHY8fCvcg/
I would think that you could cobble together an rlm_perl module that would log the contents of whatever hashes you are interested in to another server by whatever means you wish, then return MODULE_OK without modifying any of the data in the hashes. Owen On Dec 27, 2006, at 11:39 PM, Dubi Lego wrote:
Our solution is to provide lawful information, according to a Court request on user's activity on the net. In order to do that we need to intercept their AAA activity and the actual data activity.
The problem we are having is to collect the AAA activity for Authentication. We have found the way to forward the accounting data from the RADIUS to our RADIUS proxy and so we are notified on Session Start and Session End, but we need also to be notified on any attempt of a user to authenticate through the RADIUS.
Are you familiar with any solution to do that?
Thanks in advance for your help,
Dubi
-----Original Message----- From: freeradius-users-bounces+dlego=allot.com@lists.freeradius.org [mailto:freeradius-users-bounces+dlego=allot.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, December 27, 2006 9:33 PM To: FreeRadius users mailing list Subject: Re: proxy authentication
Dubi Lego wrote:
I will clarify my question. Is it possible to forward all AAA messages including replies to another server which will only listen to messages and won't be active.
The short answer is that RADIUS doesn't do that. I'm not aware of *any* server, WWW, FTP, DNS, or otherwise that can do this.
What you can do is to log all of the requests & responses to a "detail" file, and then copy that file somewhere else.
Perhaps you might try explaining *why* you want this solution. What problem are you trying to solve? Why do you believe that this solution is the best one for the problem?
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
Dubi Lego wrote:
Our solution is to provide lawful information, according to a Court request on user's activity on the net. In order to do that we need to intercept their AAA activity and the actual data activity.
That's a requirement, not a solution. The solution to that problem is, as I said, logging the packets via the "detail" module.
The problem we are having is to collect the AAA activity for Authentication.
This does NOT mean you need to proxy the packets. In fact, it likely means you do NOT proxy the packets, because proxying adds nothing over logging via the "detail" module.
We have found the way to forward the accounting data from the RADIUS to our RADIUS proxy and so we are notified on Session Start and Session End, but we need also to be notified on any attempt of a user to authenticate through the RADIUS.
Are you familiar with any solution to do that?
What's wrong with using the "detail" file, as I suggested in my previous message? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (4)
-
Alan DeKok -
Dubi Lego -
Owen DeLong -
Patric