Govroam

The Roaming solution for the public sector

User Tools

Site Tools

You are here: start » public » retro-fitting_fticks_logging_to_freeradius
public:retro-fitting_fticks_logging_to_freeradius

Retro-fitting FTICKS to FreeRADIUS

For a brief explanation of FTICKS and why they're useful.

What we're trying to achieve is for an RFO to send us logs of just the successful authentications happening between your registerted organisations (i.e. not the ones proxies to and from the Jisc NRPS).

To do this there are a few stages.

1. Modify the client stanzas to include an 'operator=<realm>' line which will set the internal 'operator' variable to identify the organisation from which the request originates. e.g: 

client somesite {
        secret = something
        ipaddr = 192.168.0.1
        operator = "somesite.nhs.uk"

}

2. Modify the client stanzas to identify all the Jisc NRPS as 'operator=NRPS', as above. e.g: 

client roaming0 {
        secret = something
        ipaddr = 192.168.0.1
        operator = "NRPS"

}

#Govroam server configuration
home_server roaming0 {
    ipaddr = roaming0.govroam.uk
    port = 1812
    type = auth
    secret = something
    operator = "NRPS"

}

3. Ensure that the Operator-Name variable is being set to the right value, or a suitable default e.g: 

update request {
                        Operator-Name = "%{%{client:operator}:-1nhs.uk}"
                }

4. Add a log section for FTICKS which sends the logs to syslog. e.g: 

# F-TICKS
linelog f_ticks {
        filename = syslog
        format = ""
        reference = "f_ticks.%{%{reply:Packet-Type}:-format}"
        f_ticks {
              Access-Accept ="F-TICKS/govroam/1.0#REALM=%{Realm}#VISCOUNTRY=GB#VISINST=%{Operator-Name}#CSI=%{Calling-Station-Id}#RESULT=OK#FEDID=XX#" # Replace XX with your supplied ID, or remove FEDID=XX if you're not a Regional Federation Operator.

        }

5. Modify the post-auth stanza to use the above log section only where the source and destination aren't 'NRPS'. e.g: 

                # Only send F-TICKS to Jisc when proxying between sites.
		if ( "%{home_server:operator}" != "NRPS" && "%{client:operator}" != "NRPS") {
  		  f_ticks
		}

6. Configure a syslog server to proxy to the FTICKS syslog to the Jisc syslog server. Example for syslog-ng: 

destination d_jisc { 
  syslog("utilities.govroam.uk" transport("tcp") port("514")); 
};

filter f_fticks {
        facility(local0) and match ("F-TICKS", value ("MESSAGE"));
};

log {
        source(s_src);
        filter(f_fticks);
        destination(d_jisc);
};
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
public/retro-fitting_fticks_logging_to_freeradius.txt · Last modified: 2024/03/19 09:14 by admin

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki