Replicate FreeRADIUS responses to a another host
Daniel Finger
df at ewetel.de
Tue Mar 5 14:04:59 CET 2019
Hi!
I need to replicate Access-Accept, Access-Reject and Accounting-Request and
Accounting-Response tickets to another system for lawful interception.
Actually I need to add some other attributes, but this can all be done in
unlang and is already working.
I wanted to use rlm_replicate for this, but it did not replicate the response.
I created a patch for rlm_replicate:
- using the module in Post-Auth will replicate the response.
- use the original request->packet->id that the response matches the request
- when replicating an accounting-request, send a response right away (is
there a better way without changing the current behaviour?)
Is it possible to have this functionality included?
--- rlm_replicate.c 2019-02-25 22:41:30.000000000 +0100
+++ rlm_replicate.c 2019-03-05 11:46:41.000000000 +0100
@@ -87,12 +87,21 @@ static int replicate_packet(UNUSED void
case PW_CODE_ACCESS_REQUEST:
pool = realm->auth_pool;
break;
+ case PW_CODE_ACCESS_ACCEPT:
+ pool = realm->auth_pool;
+ break;
+ case PW_CODE_ACCESS_REJECT:
+ pool = realm->auth_pool;
+ break;
#ifdef WITH_ACCOUNTING
case PW_CODE_ACCOUNTING_REQUEST:
pool = realm->acct_pool;
break;
+ case PW_CODE_ACCOUNTING_RESPONSE:
+ pool = realm->acct_pool;
+ break;
#endif
#ifdef WITH_COA
@@ -125,7 +134,7 @@ static int replicate_packet(UNUSED void
}
packet->code = code;
- packet->id = fr_rand() & 0xff;
+ packet->id = request->packet->id;
packet->sockfd = fr_socket(&home->src_ipaddr, 0);
if (packet->sockfd < 0) {
REDEBUG("Failed opening socket: %s", fr_strerror());
@@ -191,11 +200,18 @@ static int replicate_packet(UNUSED void
*/
RDEBUG("Replicating list '%s' to Realm '%s'",
fr_int2str(pair_lists, list, "<INVALID>"),
realm->name);
- if (rad_send(packet, NULL, home->secret) < 0) {
+ if (rad_send(packet, request->packet, home->secret) < 0) {
REDEBUG("Failed replicating packet: %s", fr_strerror());
rcode = RLM_MODULE_FAIL;
goto done;
}
+ if (code == PW_CODE_ACCOUNTING_REQUEST) {
+ rcode = replicate_packet(instance, request, PAIR_LIST_REPLY,
PW_CODE_ACCOUNTING_RESPONSE);
+ if (rcode != RLM_MODULE_OK) {
+ goto done;
+ }
+
+ }
/*
* We've sent it to at least one destination.
@@ -224,6 +240,11 @@ static rlm_rcode_t CC_HINT(nonnull) mod_
return replicate_packet(instance, request, PAIR_LIST_REQUEST,
request->packet->code);
}
+static rlm_rcode_t CC_HINT(nonnull) mod_post_auth(void *instance, REQUEST
*request)
+{
+ return replicate_packet(instance, request, PAIR_LIST_REPLY,
request->reply->code);
+}
+
static rlm_rcode_t CC_HINT(nonnull) mod_accounting(void *instance, REQUEST
*request)
{
return replicate_packet(instance, request, PAIR_LIST_REQUEST,
request->packet->code);
@@ -264,6 +285,7 @@ module_t rlm_replicate = {
.type = RLM_TYPE_THREAD_SAFE,
.methods = {
[MOD_AUTHORIZE] = mod_authorize,
+ [MOD_POST_AUTH] = mod_post_auth,
[MOD_ACCOUNTING] = mod_accounting,
[MOD_PREACCT] = mod_preaccounting,
#ifdef WITH_PROXY
--
Greetings
Daniel Finger
EWE TEL GmbH
Cloppenburger Straße 310
26133 Oldenburg
E-Mail: info at ewe.de
Internet: www.ewe.de
Handelsregister Amtsgericht Oldenburg HRB 3723
Aufsichtsratsvorsitzender: Michael Heidkamp
Geschäftsführer: Norbert Westfal (Sprecher), Sebastian Jurczyk, Ludwig
Kohnen, Maximilian Oertle
More information about the Freeradius-Devel
mailing list