Handling user based on an attribute in a dynamic manner

Nathan Ward lists+freeradius at daork.net
Sat Feb 10 11:26:49 CET 2018


Hi,

I’m working on a solution where I need to auth differently, and return different attributes based on a user’s access type. I can see the interface that a user has arrived on, and from that look up the access type. We have maybe 100 different interfaces which can change a bit, divided in to 3 or 4 different access types. Once I know the access type, I can choose which of the other attributes I use to authenticate the user. We run 3.0.16 (or will by the time this is deployed).

I’m trying to figure out a good way to map those 100 interfaces to access types, without a change meaning a restart.

We run LDAP right now, we don’t have SQL servers running on our front end servers, and I’d rather avoid it.

Right now, I’m considering SQLite, but I’m not certain how it would handle:
1) A 3rd party process opening the db file to write periodically - I see posts about only one writer, and that’s fine I only want one writer, but I want to write from a different application.. is that OK?
2) Changes to the file, would they require a restart - I presume the DB file is not cached in memory in FreeRADIUS somehow, but that’s just a guess.

Our auth load is quite manageable, so, if a request blocked for a second or two while the write was happening that would be OK - but errors/false negatives would be bad.

Can anyone help with these before I go spending a bunch of time testing?

Any other solutions I should consider? A server restart is always an option, but, I’d rather avoid it if possible.

--
Nathan Ward




More information about the Freeradius-Users mailing list