FreeRADIUS can execute arbitrary programs when an authorization or authentication request arrives from a NAS(Network Access Server), by using the exec module; that is what I’ve implemented to solve my dilemma. A stanza

exec jxrad {
  wait = yes
  program = "/etc/raddb/bin/jxrad %{Stripped-User-Name}"
  input_pairs = request config

in the modules section as well as an invocation of the thus created jxrad module in the instantiate and authorize sections ensure that my program is invoked when an authorization request arrives. What does that program do? It retrieves the user’s password from $USER_PASSWORD and performs an LDAP bind operation in order to see if the supplied credentials are correct (this won’t work for CHAP(Challenge Access) ). Irrespective of whether the bind succeeds or not, this fact together with a timestamp and the username are recorded in a MySQL database table. I realize a second round-trip to the LDAP server is needed for this, but it doesn’t matter as we have enough computing power to handle that.

LDAP, MySQL, Linux, and Radius :: 14 Jun 2006 :: e-mail