Logging Specific Radius Requests

FreeRADIUS can execute arbitrary programs when an authorization or authentication request arrives from a NAS, by using the exec module; that is what I've implemented to solve my dilemma.

A stanza 

exec jxrad {
  wait = yes
  program = "/etc/raddb/bin/jxrad %{Stripped-User-Name}"
  input_pairs = request config
}
in the modules section as well as an invocation of the thus created jxrad module in the instantiate and authorize sections ensure that my program is invoked when an authorization request arrives.

What does that program do? It retrieves the user's password from $USER_PASSWORD and performs an LDAP bind operation in order to see if the supplied credentials are correct (this won't work for CHAP ). Irrespective of whether the bind succeeds or not, this fact together with a timestamp and the username are recorded in a MySQL database table.

I realize a second round-trip to the LDAP server is needed for this, but it doesn't matter as we have enough computing power to handle that.

Comments are closed

Entry posted on June 14th, 2006 at 11:47 AM in LDAP, Linux, MySQL, Radius.

Related Posts

Portable HTTP Requests in Notes, LDAP-Driven RADIUS Appliance, LDAP Distributed shell-Profile: ldp, Radius and LDAP Authorization with Services

Comments (1) left to “Logging Specific Radius Requests”

  1. Not much of interest to anyone » Blog Archive » Logging Specific Radius Requests wrote on 09-Feb-07 at 5:47 pm

    [...] Logging Specific Radius Requests [...]

« Mas Futbol
coComment »
Home