[EXT] RE: Add client IP address to log messages
Brian Julin
BJulin at clarku.edu
Tue Nov 23 18:01:43 CET 2021
Drew Weaver <drew.weaver at thenap.com> wrote:
> Also it appears that our documentation was wrong anyway. We are using duo 2fa so I believe duo is proxying radius requests and it must not be forwarding the information to radiusd.
> Sorry for the noise/spam.
That would explain it.
Duo does have a nice REST API you can use for authentications instead of their crummy RADIUS relay, but it's a roll-your-own solution requiring a lot of coding/testing.
Also, if you aren't sure you are sticking with Duo, not a good idea since many of the other providers do not provide an easy REST API.
You could probably find some way to tie customized logging from duoauthproxy to the pap messages but yes, the way 2FA providers just casually injects unnecessary low-feature-set relays into AAA setups makes things hard.
More information about the Freeradius-Users
mailing list