Home server failure messages

classic Classic list List threaded Threaded
7 messages Options
| Threaded
Open this post in threaded view
|

Home server failure messages

Users mailing list
Hi all,

Freeradius 3.0.20-1.

  Is there a way I can pick up (and report) failures for connections to home servers?
I can't think of a way, but normally I'd check the Module-Failure-Message attribute; is there anything similar I can use for proxying as that isn't set here (not a module I guess!)

Sorry if it's really obvious and documented somewhere, but I can't see anything that would get set, having checked proxy.conf, tls, pre-proxy, post-proxy bits.

I can't use status-server just to check before clients connect, because of using Radsec (it's the future?!), so some requests are returned as rejects.
It's good to know when/how often this sort of stuff happens given that some of the servers are external, nothing to do with us (Govroam).
Thanks
Andy




********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Home server failure messages

Alan DeKok-2
On Nov 20, 2019, at 11:16 AM, FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) via Freeradius-Users <[hidden email]> wrote:
>
>  Is there a way I can pick up (and report) failures for connections to home servers?

  The post-proxy section is still run, and Module-Failure-Message should be set.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Home server failure messages

Users mailing list
Hi Alan,
  Indeed it seems to in some circumstances; here's one where one server proxies to another, which in turn can't reach another external one, and the failure message is passed across:

Server where the request is received (from radtest):
I've edited it a bit for brevity, hopefully that's ok

..
(1) Proxying request to home server 192.168.110.46 port 2083 (TLS) timeout 30.000000
..
Thread 2 waiting to be assigned a request
(1) Expecting proxy response no later than 29.693518 seconds from now
Waking up in 29.6 seconds.
Suppressing duplicate proxied request (tcp) to home server 192.168.110.46 port 2083 proto TCP - ID: 172
Waking up in 25.0 seconds.
Suppressing duplicate proxied request (tcp) to home server 192.168.110.46 port 2083 proto TCP - ID: 172
Waking up in 20.0 seconds.
(1) No proxy response, giving up on request and marking it done
Marking home server 192.168.110.46 port 2083 as zombie (it has not responded in 30.000000 seconds).
(1) ERROR: Failing proxied request for user "[hidden email]", due to lack of any response from home server 192.168.110.46 port 2083
Waking up in 0.3 seconds.
Thread 1 got semaphore
Thread 1 handling request 1, (1 handled so far)
(1) Clearing existing &reply: attributes
(1) Found Post-Proxy-Type Fail-Authentication
(1) server default {
(1)   Post-Proxy-Type sub-section not found.  Ignoring.
(1)   # Executing group from file /etc/freeradius/sites-enabled/default
(1) }
(1) Login incorrect (Home Server failed to respond): [[hidden email]] (from client localhost_ipv6 port 1)
(1) There was no response configured: rejecting request
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1)   Post-Auth-Type REJECT {
..
(1)        if ( &Module-Failure-Message )  {
(1)               update control {
(1)                 EXPAND Reject : %{Module-Failure-Message}
(1)                    --> Reject : Failing proxied request for user \"[hidden email]\", due to lack of any response from home server 192.168.110.46 port 2083
(1)                 Outcome := Reject : Failing proxied request for user "[hidden email]", due to lack of any response from home server 192.168.110.46 port 2083
(1)                 EXPAND %{Module-Failure-Message}



.. but if it can't connect at all the next server in line for example because FR is down and the port is closed it seems to miss out the post-proxy bit (probably by design?) and then there's no available Module-Failure-Message attribute value.

Starting proxy to home server 192.168.110.46 port 2083
(0) server default {
(0) }
Failed opening new proxy socket 'proxy (0.0.0.0, 0) -> home_server (192.168.110.46, 2083)' : Failed connecting socket: Connection refused
(0) Failed to insert request into the proxy list
(0) There was no response configured: rejecting request
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)   Post-Auth-Type REJECT {
..
(0)     if ( &Module-Failure-Message ) {
(0)             if ( &Module-Failure-Message )  -> FALSE
(0)           } # else = noop

Again, maybe my intuition is a bit off and I expect something which for some reason is designed a different way!

Thanks again
Andy


-----Original Message-----
From: Alan DeKok <[hidden email]>
Sent: 20 November 2019 19:01
To: FreeRadius users mailing list <[hidden email]>
Cc: FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) <[hidden email]>
Subject: Re: Home server failure messages

On Nov 20, 2019, at 11:16 AM, FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) via Freeradius-Users <[hidden email]> wrote:
>
>  Is there a way I can pick up (and report) failures for connections to home servers?

  The post-proxy section is still run, and Module-Failure-Message should be set.

  Alan DeKok.



********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Home server failure messages

Alan DeKok-2
On Nov 21, 2019, at 7:44 AM, FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) <[hidden email]> wrote:
>  Indeed it seems to in some circumstances; here's one where one server proxies to another, which in turn can't reach another external one, and the failure message is passed across:
>
> Server where the request is received (from radtest):
> I've edited it a bit for brevity, hopefully that's ok

  That's fine.

> .. but if it can't connect at all the next server in line for example because FR is down and the port is closed it seems to miss out the post-proxy bit (probably by design?) and then there's no available Module-Failure-Message attribute value.

  The answer is that the Module-Failure-Message attribute isn't always created.

> Again, maybe my intuition is a bit off and I expect something which for some reason is designed a different way!

  Patches are welcome. :)

  It's worth going thru src/main/process.c, and adding calls:

        module_failure_msg(request, "foo", ...);

  In order to add more module failure messages.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Home server failure messages

Alan Buxey
In reply to this post by Users mailing list
Hi

If using RADSEC why not use the status-server check (low level check not a
user/pass check - though a false user etc will give a reject which means
the server is okay)... Or maybe the server is fine and the issue is
elsewhere (talking to a proxy that might have problems upstream?)

Correctly configured the server should fail over to the next available home
server (and with RADSEC only use the failed one when it's been checked and
responding again)

alan


On Wed, 20 Nov 2019, 16:17 FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL
NHS TRUST) via Freeradius-Users, <[hidden email]>
wrote:

> Hi all,
>
> Freeradius 3.0.20-1.
>
>   Is there a way I can pick up (and report) failures for connections to
> home servers?
> I can't think of a way, but normally I'd check the Module-Failure-Message
> attribute; is there anything similar I can use for proxying as that isn't
> set here (not a module I guess!)
>
> Sorry if it's really obvious and documented somewhere, but I can't see
> anything that would get set, having checked proxy.conf, tls, pre-proxy,
> post-proxy bits.
>
> I can't use status-server just to check before clients connect, because of
> using Radsec (it's the future?!), so some requests are returned as rejects.
> It's good to know when/how often this sort of stuff happens given that
> some of the servers are external, nothing to do with us (Govroam).
> Thanks
> Andy
>
>
>
>
>
> ********************************************************************************************************************
>
> This message may contain confidential information. If you are not the
> intended recipient please inform the
> sender that you have received the message in error before deleting it.
> Please do not disclose, copy or distribute information in this e-mail or
> take any action in relation to its contents. To do so is strictly
> prohibited and may be unlawful. Thank you for your co-operation.
>
> NHSmail is the secure email and directory service available for all NHS
> staff in England and Scotland. NHSmail is approved for exchanging patient
> data and other sensitive information with NHSmail and other accredited
> email services.
>
> For more information and to find out how you can switch,
> https://portal.nhs.net/help/joiningnhsmail
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Home server failure messages

Users mailing list
Hi Alan,
  Hopefully I've understood - I did try the status_check = "status-server" option in the tls (radsec) virtual server, but it seems it is not permitted:

Only 'status_check = none' is allowed for home servers with 'proto = tcp'

Radsecproxy, which I toyed about with for a while, seemed to allow status checks and when used in between freeradius servers (iirc) did respond to the request with no issues via radsec..
Maybe there's something I'm missing, wouldn't be the first time :-)

Thanks
Andy
________________________________________
From: Freeradius-Users <freeradius-users-bounces+andy.franks1=[hidden email]> on behalf of Alan Buxey <[hidden email]>
Sent: 22 November 2019 19:57
To: FreeRadius users mailing list
Subject: Re: Home server failure messages

Hi

If using RADSEC why not use the status-server check (low level check not a
user/pass check - though a false user etc will give a reject which means
the server is okay)... Or maybe the server is fine and the issue is
elsewhere (talking to a proxy that might have problems upstream?)

Correctly configured the server should fail over to the next available home
server (and with RADSEC only use the failed one when it's been checked and
responding again)

alan


On Wed, 20 Nov 2019, 16:17 FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL
NHS TRUST) via Freeradius-Users, <[hidden email]>
wrote:

> Hi all,
>
> Freeradius 3.0.20-1.
>
>   Is there a way I can pick up (and report) failures for connections to
> home servers?
> I can't think of a way, but normally I'd check the Module-Failure-Message
> attribute; is there anything similar I can use for proxying as that isn't
> set here (not a module I guess!)
>
> Sorry if it's really obvious and documented somewhere, but I can't see
> anything that would get set, having checked proxy.conf, tls, pre-proxy,
> post-proxy bits.
>
> I can't use status-server just to check before clients connect, because of
> using Radsec (it's the future?!), so some requests are returned as rejects.
> It's good to know when/how often this sort of stuff happens given that
> some of the servers are external, nothing to do with us (Govroam).
> Thanks
> Andy
>
>
>
>
>
> ********************************************************************************************************************
>
> This message may contain confidential information. If you are not the
> intended recipient please inform the
> sender that you have received the message in error before deleting it.
> Please do not disclose, copy or distribute information in this e-mail or
> take any action in relation to its contents. To do so is strictly
> prohibited and may be unlawful. Thank you for your co-operation.
>
> NHSmail is the secure email and directory service available for all NHS
> staff in England and Scotland. NHSmail is approved for exchanging patient
> data and other sensitive information with NHSmail and other accredited
> email services.
>
> For more information and to find out how you can switch,
> https://portal.nhs.net/help/joiningnhsmail
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Home server failure messages

Alan DeKok-2
On Nov 22, 2019, at 3:35 PM, FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) via Freeradius-Users <[hidden email]> wrote:
>  Hopefully I've understood - I did try the status_check = "status-server" option in the tls (radsec) virtual server, but it seems it is not permitted:
>
> Only 'status_check = none' is allowed for home servers with 'proto = tcp'

  TCP connections guarantee delivery.  So there's no reason to have a Status-Server check in them.

> Radsecproxy, which I toyed about with for a while, seemed to allow status checks and when used in between freeradius servers (iirc) did respond to the request with no issues via radsec..
> Maybe there's something I'm missing, wouldn't be the first time :-)

  FreeRADIUS responds to Status-Server packets over TCP.  But there's no reason to send Status-Server packets over TCP.

  If the connection is down, then the server gets notified.  If the connection is up, then sending a Status-Server packet over it won't give you any information.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html