Differences

This shows you the differences between two versions of the page.

--- public:retro-fitting_fticks_logging_to_freeradius [2024/03/19 08:17] – admin
+++ public:retro-fitting_fticks_logging_to_freeradius [2024/11/22 09:54] (current) – admin
@@ Line 1: / Line 1: @@
 =====Retro-fitting FTICKS to FreeRADIUS=====
-**IN PROGRESS**
 For a [[public:fticks|brief explanation of FTICKS]] and why they're useful.
@@ Line 9: / Line 7: @@
 To do this there are a few stages.
-. Modify the client stanzas to include an 'operator=<realm>' line which will set the internal 'operator' variable to identify the organisation from which the request originates. e.g:
+. Modify the [[siteadmin:basic_freeradius_orps_configuration#clients_conf|client stanzas]] to include an 'operator=<realm>' line which will set the internal 'operator' variable to identify the organisation from which the request originates. e.g:
 <code>
 client somesite {
@@ Line 18: / Line 16: @@
 }
 </code>
-. Modify the client stanzas to identify all the Jisc NRPS as 'operator=NRPS', as above. e.g:
+. Modify the [[[[siteadmin:basic_freeradius_orps_configuration#clients_conf|client stanzas]] to identify all the Jisc NRPS as 'operator=NRPS', as above. e.g:
 <code>
 client roaming0 {
@@ Line 24: / Line 23: @@
         ipaddr = 192.168.0.1
         operator = "NRPS"
+}
+#Govroam server configuration
+home_server roaming0 {
+    ipaddr = roaming0.govroam.uk
+    port = 1812
+    type = auth
+    secret = something
+    operator = "NRPS"
 }
 </code>
-. Add a log section for FTICKS which sends the logs to syslog.
-. Modify the post-auth stanza to use the above log section only where the source and destination aren't 'NRPS'. e.g:
+. Ensure that the [[siteadmin:freeradius_operator-name_setting|Operator-Name variable]] is being set to the right value, or a suitable default e.g:
+<code>
+update request {
+                        Operator-Name = "%{%{client:operator}:-1nhs.uk}"
+                }
+</code>
+Replace 'nhs.uk' with your realm.
+. Add a [[siteadmin:basic_freeradius_orps_configuration#mods_available-_govroam_logs|log section]] for FTICKS which sends the logs to syslog. e.g:
+<code>
+# F-TICKS
+linelog f_ticks {
+        filename = syslog
+        format = ""
+        reference = "f_ticks.%{%{reply:Packet-Type}:-format}"
+        f_ticks {
+              Access-Accept ="F-TICKS/govroam/1.0#REALM=%{Realm}#VISCOUNTRY=GB#VISINST=%{Operator-Name}#CSI=%{Calling-Station-Id}#RESULT=OK#FEDID=XX#" # Replace XX with your supplied ID, or remove FEDID=XX if you're not a Regional Federation Operator.
+        }
+</code>
+. Modify the [[siteadmin:basic_freeradius_orps_configuration#sites-available-_govroam|post-auth stanza]] to use the above log section only where the source and destination aren't 'NRPS', and the Called-Station-Id contains the 'govroam' SSID. e.g:
 <code>
                 # Only send F-TICKS to Jisc when proxying between sites.
-		if ( "%{home_server:operator}" != "NRPS" && "%{client:operator}" != "NRPS") {
+		if ( "%{home_server:operator}" != "NRPS" && "%{client:operator}" != "NRPS" && "%{request:Called-Station-Id}" =~ /:govroam$/) {
   		  f_ticks
 		}
 </code>
-. Configure a [[siteadmin:syslog_f-ticks_logging|syslog server]] to proxy to the FTICKS syslog to the Jisc syslog server.
+. Configure a [[siteadmin:syslog_f-ticks_logging|syslog server]] to proxy to the FTICKS syslog to the Jisc syslog server. Example for syslog-ng:
+<code>
+destination d_jisc {
+  syslog("utilities.govroam.uk" transport("tcp") port("514"));
+};
+filter f_fticks {
+        facility(local0) and match ("F-TICKS", value ("MESSAGE"));
+};
+log {
+        source(s_src);
+        filter(f_fticks);
+        destination(d_jisc);
+};
+</code>