LDAP attribute update for clients

Alan DeKok aland at deployingradius.com
Mon Feb 22 16:38:01 CET 2021

On Feb 22, 2021, at 9:24 AM, DEV <dev at dolphin-dev.com> wrote:
> Is it possible to configure FR to write the last authentication attempt from a client (NAS) to LDAP?

  Update post-auth with an LDAP query.

> For users I can set this:
> https://bitbucket.org/code-orange/django-cdstack-tpl-accessradius/src/cad14059236673c2152ea4febf9181bab22248fb/django_cdstack_tpl_accessradius/templates/config-fs/static/etc/freeradius/mods-available/ldap#lines-57
> Is there something similar for the clients? I'm interested in the same attribute update to see which clients are dead.

  I'm not sure what you're asking here.

  The processing sections are run when the server receives a packet.  i.e. Access-Request gets processed through authorize, authenticate, post-auth.  There's no concept of "user" versus "client" here.  It's just a packet with src/dst IP, and various contents.

  So if you want to update LDAP when FreeRADIUS receives a packet, just write things in "authorize" to update LDAP.  It's not more complicated than that.  The main issue here is that LDAP is intended to be read-many, write-rarely.  So doing LDAP writes on every packet received will likely cause issues.

  But... if you want to see which clients are dead, see sites-available/control, and the "radmin" command.  You can ask the server about a particular client, and it will tell you when the server last received a packet from that client.

  Alan DeKok.

More information about the Freeradius-Users mailing list