freeradius

freeRadius: Manually accept client authentication


I have a large, industrial Local Area Network that is relatively closed. Occasionally someone can plug their laptop into the network for troubleshooting or monitoring purposes. I'd like the ability for a logged in administrator to accept the new connection via a user interface. Does freeRadius offer the ability to defer authentication to some external system for 'just in time' authentication?


Solution

  • FreeRADIUS just queries databases - this sort of setup can certainly be built, but you will need something else to update a database so that FreeRADIUS knows what to do when the Access-Request arrives.

    If you really want to do it in "real time" then you could use rlm_rest, one of the perl/python modules, or even rlm_exec to delay the response while the situation is checked out. Note that the standard RADIUS timeout is not long, so you will likely find the authentication fails the first time if waiting on a human to click OK fast enough!

    The better option is probably for the first authentication to fail, but write information into a database to be manually reviewed. Then a second authentication can be permitted to succeed after someone has updated the database record in some way.