FreeRADIUS - Requests

FreeRADIUS is a widely used open-source RADIUS server that handles requests from network devices such as Wi-Fi access points, VPNs, or network switches. A request is any authentication, authorization, or accounting operation that FreeRADIUS processes. This document provides an in-depth exploration of FreeRADIUS request processing, covering the types of requests, handling mechanisms, and configuration examples.

FreeRADIUS handles different types of requests based on the authentication method used. These types include:

• **Authentication Requests**: These requests verify the identity of users or devices.
• **Authorization Requests**: After authentication, these requests determine if the user or device is authorized to access the network.
• **Accounting Requests**: These requests record data about user or device activity, such as session duration or data usage.
• **Proxy Requests**: These are forwarded requests to another RADIUS server for processing.
• **CoA (Change of Authorization) Requests**: These requests are used to change the authorization of an active session.

Each request type follows a specific flow of operations within FreeRADIUS.

When FreeRADIUS receives a request from a client (NAS or network access server), it goes through the following stages:

• **Pre-Authentication**: FreeRADIUS checks if the incoming request should be accepted or rejected before any authentication takes place. This includes checks for known IP addresses, authentication method types, and so on.
• **Authentication**: FreeRADIUS verifies the identity of the user or device by checking the credentials in the backend (e.g., SQL database, LDAP, etc.).
• **Authorization**: Once authenticated, FreeRADIUS checks the user’s permissions to determine what services they are allowed to access.
• **Accounting**: FreeRADIUS logs relevant session information to a backend (e.g., PostgreSQL, MySQL) for billing or session tracking.
• **Post-Processing**: Additional checks or modifications can be applied to the request after the core processing stages.

Each stage can be customized via FreeRADIUS configuration files.

Authentication requests come in the form of a RADIUS Access-Request packet, typically containing the following information:

• **User-Name**: The username of the user trying to authenticate.
• **User-Password**: The password for the user.
• **NAS-IP-Address**: The IP address of the NAS device.
• **NAS-Port**: The port number on the NAS that the request came from.

Example of handling an authentication request:

# Example of handling an authentication request in the `default` configuration
authorize {
    # Check user credentials in the SQL database
    sql
    # Additional checks, e.g., check for temporary block
    files
}
authenticate {
    # Process user authentication with the PAP method
    pap
}

In this example, FreeRADIUS checks the credentials of the user against a SQL database and applies additional checks (e.g., checking files for authorization settings). The authentication method used in this case is PAP (Password Authentication Protocol).

Once authentication is successful, FreeRADIUS processes authorization requests, which define what resources the authenticated user can access. Authorization can be enforced by checking the user's group membership, attributes, or other properties.

Example of handling an authorization request:

# Example of handling an authorization request in the `default` configuration
authorize {
    # Check user attributes from the database
    sql
    # Assign VLAN based on group membership
    files
}

In this example, FreeRADIUS checks the SQL database for additional attributes that dictate the level of access (e.g., VLAN assignments). It can also load static files to check predefined rules.

Accounting requests track user activity and session information. These requests usually come in the form of Access-Request or Accounting-Request packets that include information such as session start, stop, and interim updates.

Example of handling an accounting request:

# Example of handling an accounting request in the `default` configuration
accounting {
    # Log accounting information to the SQL database
    sql
}

The `sql` module is used to log session information (e.g., session start, session stop, data usage) to a backend database such as PostgreSQL or MySQL. The accounting module ensures that any changes to session states are logged for future reference.

Proxy requests are forwarded to another RADIUS server for processing. This can be useful in large-scale systems where one FreeRADIUS server acts as a proxy to another for load balancing or delegation of authentication tasks.

Example of proxy request handling:

# Example of proxy request handling
proxy_requests {
    # Proxy to another FreeRADIUS server
    realm = "example.com"
    server = "radius-backend.example.com"
}

In this configuration, FreeRADIUS forwards requests that are destined for `example.com` to another server, `radius-backend.example.com`.

Change of Authorization (CoA) requests are used to dynamically change the authorization of an existing session. This could include things like changing a user’s IP address, re-assigning a VLAN, or limiting bandwidth.

Example of handling a CoA request:

# Example CoA handling in `default` configuration
coa {
    # Apply changes to user attributes
    sql
    # Notify the NAS about changes
    files
}

In this case, FreeRADIUS processes the CoA request by applying changes to user attributes stored in a backend database and notifies the NAS device accordingly.

FreeRADIUS allows advanced customization of how requests are processed by using modules, policies, and hooks. For example, you can write custom scripts or use external programs to process specific types of requests.

Example of a custom policy script for request processing:

# Example of a custom script for processing requests
post-auth {
    if ("%{User-Name}" =~ /^specialuser/) {
        # Special handling for certain users
        exec /path/to/custom-script.sh
    }
}

This example demonstrates how to use a custom script (`custom-script.sh`) to handle requests from users whose usernames start with "specialuser". The `post-auth` section allows you to manipulate requests after authentication has been completed.

• [FreeRADIUS Official Documentation](https://freeradius.org/docs/)
• [FreeRADIUS Wiki](https://wiki.freeradius.org/)
• [RADIUS Request Packet Format](https://tools.ietf.org/html/rfc2865)
• [FreeRADIUS Configuration Files](https://freeradius.org/radiusd/configuration.html)
• [FreeRADIUS Advanced Configuration](https://wiki.freeradius.org/config/advanced)
• [PostgreSQL for FreeRADIUS](https://wiki.freeradius.org/modules/rlm_sql_postgresql)
• [FreeRADIUS Policies](https://wiki.freeradius.org/config/policies)