FreeRADIUS is a modular, high performance free RADIUS suite developed and distributed under the GNU General Public License, version 2, and is free for download and use. The FreeRADIUS Suite includes a RADIUS server, a BSD-licensed RADIUS client library, a PAM library, an Apache module, and numerous additional RADIUS related utilities and development libraries. This is the description in Wikipedia.
FreeRADIUS supports a simple processing language in its configuration files. We call it an "un-language" (unlang) because the intention is NOT to create yet another programming language. The goal of the language is to allow simple policies to be written with minimal effort. Those policies are then applied when a request is being processed. Requests are processed through virtual servers (including the default one), in the sections titled "authorize", "authenticate", "post-auth", "preacct", "accounting", "pre-proxy", "post-proxy", and "session".
FreeRADIUS can be used to update the AVPs and proxy them to another server. To do this we need to modify some files: /etc/raddb/proxy.conf and /etc/raddb/sites-enabled/default
proxy.conf
It
is possible to use FreeRADIUS as a proxy RADIUS server. This means that it can
consult a remote RADIUS server to validate a user. This is handy for roaming
setups, or for renting ports to someone else. In this file, we add servers and realms that use these servers. The server is the server which the radius requests will be proxied.
First define the server:
home_server test.awesome.com {
type = acct
ipaddr = 10.20.30.40
port = 1813
secret = awesome
no_response_fail = no
}
Then add the realm to use this server.
realm AWESOME {
accthost = test.awesome.com
}
First define the server:
home_server test.awesome.com {
type = acct
ipaddr = 10.20.30.40
port = 1813
secret = awesome
no_response_fail = no
}
Then add the realm to use this server.
realm AWESOME {
accthost = test.awesome.com
}
We will use this realm when proxying the requests.
sites-enabled/default
This file is modified in order to update the requests in pre-accounting or accounting phase. The update process can be done by updating an AVP or adding a new AVP. The unlang syntax can be found in the FreeRADIUS web site. For demonstration purposes, we will update the NAS-Identifier field. We will put the following lines under accouting section of this file. Suppose that the RADIUS is from the mobile operator and if the APN is internet or internet2 we want to change the NAS-Identifier to AWESOME.
if (Acct-Status-Type == 1) {
update request {
NAS-Identifier := AWESOME
}
}
if (Called-Station-Id == "internet" || Called-Station-Id == "internet2") {
update control {
Proxy-To-Realm := AWESOME
}
}
if (Acct-Status-Type == 1) {
update request {
NAS-Identifier := AWESOME
}
}
if (Called-Station-Id == "internet" || Called-Station-Id == "internet2") {
update control {
Proxy-To-Realm := AWESOME
}
}
By doing these configurations, you will be able to update the RADIUS packet and proxy it to another RADIUS server.
References:
1- http://wikipedia.org
2- http://freeradius.org
References:
1- http://wikipedia.org
2- http://freeradius.org