checkrad alternative

Sat Oct 28 16:27:20 UTC 2023

On Oct 27, 2023, at 6:17 PM, Igor Smitran <sigor at blic.net> wrote:
> It seems that there is a possibility to use COA to check if session is live on NAS:

  That might work?  If you send a CoA which doesn't change anything, you might get an ACK.  If you send a CoA for a session which doesn't exist, you'll get a NAK.

  But it's not a common way to check user sessions, so it may or may not work, depending on the NAS.

> I hope i will succeed. In case that someone has something to add or share please do.
> 
> I am expecting problems with parsing of reply messages from NAS and deciding what to do next, if i use only unlang for parsing.
> 
> some rought example:
> 
> if (there is session with null stop time) {
> 
>     update coa {
> 
>         send session id
> 
>     }
> 
> }
> 
> if (reply:packet-type COA) {
> 
>     if (Cisco-Command-Code) {
> 
>         reject
> 
>     }

  See raddb/sites-available/originate-coa

  That's an example virtual server of how to handle CoA packets like this.

  *But*, you can't wait for the CoA reply, and then reject the original Access-Request.  Version 3 just won't do this.

  The hack in v3 is to just run the exec module, and exec radclient.  It's ugly, but it's likely to work.

  Alan DeKok.