Freeradius

From neil.tappsville.com
Jump to navigationJump to search

Freeradius

https://freeradius.org/

Replicate / Forward Records

Fire and forget (no socket is opened up to wait for a response from the downstream server)

  • Frontend --> downstream-replicate-realm
  • downstream-replicate-realm --> downstream-replicate-pool
  • downstream-replicate-pool --> downstream-replicate homeserver

sites-available/frontend.conf

server frontend {
...
  preacct {
    update control {
        Replicate-To-Realm := "downstream-replicate-realm"
    }
    replicate
...

sites-available/downstream-replicate.conf

home_server downstream-replicate {
  type = acct
  ipaddr = 192.168.1.1
  port = 1813
  secret = "secret"
}

home_server_pool downstream-replicate-pool {
  type = load-balance
  home_server = downstream-replicate
}

realm downstream-replicate-realm {
  acct_pool = downstream-replicate-pool
}

Proxy Records via a file buffer to a downstream radius server

This will not lock the freeradius frontend server, and expects the downstream radius server to reply once the record has been received

  • Frontend writes to --> local-spool-detail
  • local-relay reads from local-spool-detail
  • server local-relay --> downstream-relay-realm
  • downstream-relay-realm --> downstream-relay-pool
  • downstream-relay-pool --> downstream-relay homeserver


sites-available/frontend.conf

server frontend {
...
  preacct {
    local-spool-detail
...


mods-available/local-spool-detail

detail local-spool-detail {
  filename = ${radacctdir}/local-spool-detail/detail-%Y%m%d:%H:%G

  # Lock the file, as this is being read in.
  locking = yes
}


sites-available/downstream-relay.conf

home_server downstream-relay {
  type = acct
  ipaddr = 192.168.1.1
  port = 1813
  secret = "secret"
  status_check = request
  username = "test_user_status_check"
  response_window = 6
}

home_server_pool downstream-relay-pool {
  type = load-balance
  home_server = downstream-relay
  virtual_server = local-relay
}
realm downstream-relay-realm {
  acct_pool = downstream-relay-pool
}

# This server reads accounting packets from the spool file, and pushes it to the downstream-relay-realm realm.
server local-relay {
  pre-proxy {
  }

  post-proxy {
  }

  listen {
    type = detail
    filename = "${radacctdir}/local-spool-detail/detail-*:*"
    load_factor = 30
    track = yes
  }

  preacct {
  }

  accounting {
    update control {
      Proxy-To-Realm := "downstream-relay-realm"
    }
  }
}

/pre>

Send COA

Change Juniper subscriber cos policy rate - Need to know the secret of every bng echo 'Acct-Session-Id="8481644", ERX-CoS-Shaping-Pmt-Type="T02 215m"' | radclient -d /etc/raddb -sx BNG_IP_ADDRESS coa -S "FILE_WITH_SECRET" Or if you have a coa proxy (only need to know the secret of the local freeradius server as it proxys the coa and re-does the secret for the bng) echo 'Acct-Session-Id="8481644", ERX-CoS-Shaping-Pmt-Type="T02 215m", PrivateCustom-CoA-NAS="BNG_IP_ADDRESS"' | radclient -d /etc/raddb -sx 127.0.0.1 coa -S "FILE_WITH_LOCALHOST_SECRET"