External trigger for CoA

Vadim Cargatser (vcargats) vcargats at cisco.com
Mon Sep 14 15:24:37 CEST 2020


Thank you, Alan!

´╗┐On 9/14/20, 4:06 PM, "Alan DeKok" <aland at deployingradius.com> wrote:

    On Sep 14, 2020, at 8:58 AM, Vadim Cargatser (vcargats) via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
    > We'd like to trigger a CoA based on an external event. Is this possible?

      Not really.

    > There was a mail thread back in 2010 I was just wondering if something has been changed so far:
    > http://freeradius.1045715.n5.nabble.com/Freeradius-COA-trigger-td3204376.html

      FreeRADIUS isn't a web server, so it doesn't know that the admin clicked on something in a web UI.  The only way to do this is via RADIUS.

    > I know the basic approach is to use radclient for that scenario. Unfortunately, radclient does not support TLS/RADSEC which is critical for us.
    > 
    > In case this is not currently possible, can we just implement that? Say to allow getting external events for example from RabbitMQ?

      FreeRADIUS doesn't listen for events from RabbitMQ.  That's hard to add.  (Though in v4 it's likely a lot easier)

      The solution here is to use v3.0.x from GitHub, because earlier versions don't support CoA over TLS (oops).  Then, use radclient to send packets to FreeRADIUS.

      FreeRADIUS can receive the packets from radclient, and then forward them over TLS to another server.  See sites-available/coa-relay for an example.  You just have to define a home_server which uses TLS for CoA.

      Note that the server can only send CoA packets over connections to home servers.  i.e. connections where FreeRADIUS creates the outbound connection.

      CoA packets *cannot* be sent in the "reverse" path over TLS connections which the client made to FreeRADIUS.  There is no standard for how this should work.  I have patches, but they need testing.

      Alan DeKok.





More information about the Freeradius-Users mailing list