Adding ldap group information to accounting-request

[Harry Halman]

Hello,

I have a question - what is the most effective way to update Accounting-Request and populate it with Class (ldap group membership) information.

A bit of description before ending up to the actual question:

An enduser device (pc / ios / android .. you name it) does a EAP-PEAP + mschapv2 auth. It could be WLAN or LAN.
FR does the ntlm_auth (in mschap module) and also ldap module will go and ask from LDAP in what groups that user is.
In default site at post-auth section I’m updating the reply and ending up having the following in the Reponse packet.

...
> Class = 0x6f7f68f6f8f67
> Class = 0x6f7f1340080f789f790f8
…

It works. All the NAS devices are happy, they see the group info and proceed on their own.

Now the actual issue.
All my NAS devices are being asked to do accounting and the reason for that is firewall needs to have this to do on-the-fly L3 and UTM rules.
I’m using replicate module in FR to forward all Accounting-Request packets to multiple firewalls over the organisation.

In order this to work Accounting-Request (start / interim / stop) must include the following:
User-Name
Framed-IP-Address
Class (group info)

The first two are coming from NAS naturally but I can’t find a good way to populate Class in accounting section.
If i'm not misunderstood, ldap module are not designed to fetch group information in accounting section other than “write something back to ldap”.
With some help I managed call out external script that will do ldapsearch and return series of Class = value but is this the only and most effective way?

FTR: vendors Fortigate & Juniper

--
Harry