Proxy + copy accounting to passive home server

classic Classic list List threaded Threaded
27 messages Options
12
| Threaded
Open this post in threaded view
|

Proxy + copy accounting to passive home server

mimir

Hello,

I am trying to deploy proxy configuration to my radius server.

I added home_server_pool with two home_servers. I can successfully send
accounting packets (with load-balance) to other two radius servers. I also
can use attribute filtering for proxy via acct_users as below.

acct_users:
DEFAULT Called-Station-Id = "internet1", Proxy-To-Realm := TEST1

But, I want to send same packet to both servers when proxying. If I proxied
the accounting packet to server A successfully, then I want to also copy to
it to the other radius server. (means that passive one for each packet while
load-balancing)

I read some forums and see that it can be done via
"copy-acct-to-home-server".

But, I could not configure it. (I also could not understand where I should
edit it? on proxy ? or home_servers?

Can you please help me on this issue?

Thanks...

Mimir
| Threaded
Open this post in threaded view
|

Re: Proxy + copy accounting to passive home server

Alan DeKok-2
mimir wrote:
> But, I want to send same packet to both servers when proxying.

  See the "replicate" module in 2.1.12.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Proxy + copy accounting to passive home server

mimir
Hi Alan,

Thanks for reply. How can I find a sample configuration for this?
I see that this is new module and it is discussed in internet not much.

Besides this, I can only add configuration to proxy server. I can not manage home_servers.
Is it possible to apply my scenario via replicate module by deploying configuration only on proxy servers.

Mimir.
| Threaded
Open this post in threaded view
|

Re: Proxy + copy accounting to passive home server

Alan DeKok-2
mimir wrote:
> Thanks for reply. How can I find a sample configuration for this?

  Look in the raddb/modules directory?

  Where else are configurations stored?

> I see that this is new module and it is discussed in internet not much.
>
> Besides this, I can only add configuration to proxy server. I can not manage
> home_servers.
> Is it possible to apply my scenario via replicate module by deploying
> configuration only on proxy servers.

  Go read the replicate documentation to see how it works.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Proxy + copy accounting to passive home server

Fajar A. Nugraha-2
On Wed, Mar 28, 2012 at 3:13 PM, Alan DeKok <[hidden email]> wrote:
> mimir wrote:
>> Thanks for reply. How can I find a sample configuration for this?
>
>  Look in the raddb/modules directory?


... and in case you don't find it there, changes are you're running a
fairly old version of FR. Upgrade to latest stable, and it should be
there.

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Proxy + copy accounting to passive home server

mimir
Hi,

I installed latest version of freeradius and verified replicate module is existing.

I can run replication via editing proxy.conf and acct_user. ( but I can replicate to only one server for now)
I need to copy accountings to 20 servers.

DEFAULT Proxy-To-Realm := TEST1  ( how can I add others ? )

But, I can not define multiple realms replication although it says:

#  Packets can be replicated to multiple destinations.  Just set
#  Replicate-To-Realm multiple times.  One packet will be sent for
#  each of the Replicate-To-Realm attribute in the "control" list.

My configs are as below:

home servers are introduced with their IPS. and created realms for each home server.

home_server_pool test_failover1 {
        type = load-balance
        home_server = test1
}

home_server_pool test_failover2 {
        type = load-balance
        home_server = test2
}

home_server_pool test_failover3 {
        type = load-balance
        home_server = test3
}

realm TEST1 {
        acct_pool = test_failover1
}

realm TEST2 {
        acct_pool = test_failover2
}

realm TEST3 {
        acct_pool = test_failover3
}

Can you please help?

Thanks.
| Threaded
Open this post in threaded view
|

Re: Proxy + copy accounting to passive home server

Fajar A. Nugraha-2
On Fri, Mar 30, 2012 at 4:01 PM, mimir
<[hidden email]> wrote:

> Hi,
>
> I installed latest version of freeradius and verified replicate module is
> existing.
>
> I can run replication via editing proxy.conf and acct_user. ( but I can
> replicate to only one server for now)
> I need to copy accountings to 20 servers.
>
> DEFAULT Proxy-To-Realm := TEST1  ( how can I add others ? )

Don't use users file. Instead, on accounting section, use something
like this (unstested, you need to verify this first)

update control {
  Proxy-To-Realm := TEST1
  Proxy-To-Realm += TEST2
  Proxy-To-Realm += TEST3
}

See http://freeradius.org/radiusd/man/unlang.html , look for "operators"


> #  Packets can be replicated to multiple destinations.  Just set
> #  Replicate-To-Realm multiple times.  One packet will be sent for
> #  each of the Replicate-To-Realm attribute in the "control" list.

exactly.

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Proxy + copy accounting to passive home server

mimir
In reply to this post by mimir
Hi,

Sorry, I wrote wrong in my previous post, I am trying to apply Replicate-To-Realm to send accounting messages to 20 servers from my radius server.

I added as below in /sites-available/default

accounting {
....
        update control {
          Replicate-To-Realm := TEST1
          Replicate-To-Realm += TEST2
          Replicate-To-Realm += TEST3
          }

.....

But, debug log says..

+[exec] returns noop
++[replicate] returns noop
++[control] returns noop

I think it has no affect ?

Thanks..

| Threaded
Open this post in threaded view
|

Re: Proxy + copy accounting to passive home server

mimir
In reply to this post by Fajar A. Nugraha-2
Hello,

I added same definition to acct_users

DEFAULT Replicate-To-Realm := TEST1,Replicate-To-Realm += TEST2,Replicate-To-Realm += TEST3

and it worked :)

I can send 3 servers same accounting messages.

I wonder another thing. Is it possible to get log/error or sth else if one of the replicated servers  do not response?

Thanks.
| Threaded
Open this post in threaded view
|

Re: Proxy + copy accounting to passive home server

Fajar A. Nugraha-2
On Fri, Mar 30, 2012 at 5:40 PM, mimir
<[hidden email]> wrote:
> Hello,
>
> I added same definition to acct_users
>
> DEFAULT Replicate-To-Realm := TEST1,Replicate-To-Realm +=
> TEST2,Replicate-To-Realm += TEST3
>
> and it worked :)

The earlier error is is probably my fault then. It might need to go on
preacct section instead of accouting? It's been quite a while since I
tested it. It'd be good if you can test on preacct and report the
result :)

> I wonder another thing. Is it possible to get log/error or sth else if one
> of the replicated servers  do not response?

Nope. Replicate is send-and-forget kind-a-thing.

If you REALLY want RELIABLE proxying setup, you need to use detail
module to write to 3 different detail file, and basically configure 3
instances of sites-available/copy-acct-to-home-server. I wouldn't
recommend it unless it's ABSOLUTELY necessary.

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Proxy + copy accounting to passive home server

mimir
Hi Fajar,

I also think that option. But, I can not configure it.

I set up realms same in proxy.conf. But, how can we point it to sites-available/copy-acct-to-home-server ?

How can we configure it? I can only see explanation of config file comments.

Thanks,
| Threaded
Open this post in threaded view
|

Re: Proxy + copy accounting to passive home server

mimir
I forgot to add.

preacct also worked :)

Thanks.
| Threaded
Open this post in threaded view
|

Re: Proxy + copy accounting to passive home server

Fajar A. Nugraha-2
In reply to this post by mimir
On Fri, Mar 30, 2012 at 7:37 PM, mimir
<[hidden email]> wrote:
> Hi Fajar,
>
> I also think that option. But, I can not configure it.
>
> I set up realms same in proxy.conf. But, how can we point it to
> sites-available/copy-acct-to-home-server ?

Basically you need to configure sites-available/default to write to
different detail files (e.g. /var/log/radius/detail1,
/var/log/radius/detai2, etc.). Then you setup several copies of
sites-available/copy-acct-to-home-server (changing files and server
names as necessary, of course), each reading a different file (note
the line "filename = ${radacctdir}/detail". Change that). Then don't
forget to create links on sites-enabled :)

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Proxy + copy accounting to passive home server

Alan DeKok-2
In reply to this post by mimir
mimir wrote:
> I wonder another thing. Is it possible to get log/error or sth else if one
> of the replicated servers  do not response?

  No.  That's the whole POINT of the replicate module: it doesn't care
if the home server responds.

  If you want a response, configure proxying.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Proxy + copy accounting to passive home server

mimir
Hi Alan,

I got your point. I need a reply.

I can use proxying but I also need to send same accounting to all servers at the same time.

I tried to build virtual servers to proxy accounting packets to other servers.

For example: I am going to send accounting packets to 20 servers.

First I create 20 virtual servers, and then point them to 20 remote servers one by one. ( Because proxy only supports failover and loadbalance)

My configs:

/sites-available/default
preacct {
     preprocess
    update control {
          Proxy-To-Realm := TEST0  --> virtual server realm
          }
}
/sites-available/default2

preacct {
        preprocess
          update control {
          Proxy-To-Realm += TEST1 --> remote radius
          #Replicate-To-Realm += TEST2
          #Replicate-To-Realm += TEST3
          }
        #  Session sta


But when I tried it I got segmentation fault.

rad_recv: Accounting-Request packet from host 135.243.68.36 port 55675, i                                                                                    d=112, length=94
        User-Name = "test2"
        Acct-Status-Type = Start
        Acct-Session-Id = "4680"
        Framed-Protocol = PPP
        Acct-Delay-Time = 5
        Calling-Station-Id = "905436755108"
        NAS-Port = 1
        Framed-IP-Address = 2.2.2.17
        NAS-IP-Address = 135.243.90.68
        Called-Station-Id = "internet1"
# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/                                                                                    default
+- entering group preacct {...}
[preprocess]   hints: Matched DEFAULT at 85
[preprocess] sql_xlat
[preprocess]    expand: %{User-Name} -> test2
[preprocess] sql_set_user escaped user --> 'test2'
[preprocess]    expand: SELECT id from deneme limit 1 -> SELECT id from d                                                                                    eneme limit 1
rlm_sql (sql): Reserving sql socket id: 4
[preprocess] sql_xlat finished
rlm_sql (sql): Released sql socket id: 4
[preprocess]    expand: %{sql:SELECT id from deneme limit 1} -> 5
[preprocess] sql_xlat
[preprocess]    expand: %{User-Name} -> test2
[preprocess] sql_set_user escaped user --> 'test2'
[preprocess]    expand: SELECT id from deneme limit 1 -> SELECT id from d                                                                                    eneme limit 1
rlm_sql (sql): Reserving sql socket id: 3
[preprocess] sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
[preprocess]    expand: %{sql:SELECT id from deneme limit 1} -> 5
++[preprocess] returns ok
++[control] returns ok
[acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address = 135.243.68.36,NAS                                                                                    -IP-Address = 135.243.90.68,Acct-Session-Id = "4680",User-Name = "test2"'
[acct_unique] Acct-Unique-Session-ID = "8106182d5455e91b".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "test2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
# Executing section accounting from file /usr/local/etc/raddb/sites-enabl                                                                                    ed/default
+- entering group accounting {...}
[detail]        expand: %{Packet-Src-IP-Address} -> 135.243.68.36
[detail]        expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address                                                                                    }:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/1                                                                                    35.243.68.36/detail-20120402
[detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src                                                                                    -IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/135.243.                                                                                    68.36/detail-20120402
[detail]        expand: %t -> Mon Apr  2 08:21:05 2012
++[detail] returns ok
++[unix] returns ok
[radutmp]       expand: /var/log/radius/radutmp -> /var/log/radius/radutm                                                                                    p
[radutmp]       expand: %{User-Name} -> test2
++[radutmp] returns ok
[sql]   expand: %{User-Name} -> test2
[sql] sql_set_user escaped user --> 'test2'
[sql]   expand: %{Acct-Delay-Time} -> 5
[sql]   expand:            INSERT INTO radacct             (acctsessionid                                                                                    ,    acctuniqueid,     username,              realm,            nasipaddr                                                                                    ess,     nasportid,              nasporttype,      acctstarttime,    acct                                                                                    stoptime,              acctsessiontime,  acctauthentic,    connectinfo_st                                                                                    art,              connectinfo_stop, acctinputoctets,  acctoutputoctets,                                                                                                  calledstationid,  callingstationid, acctterminatecause,                                                                                                  servicetype,      framedprotocol,   framedipaddress,                                                                                                  acctstartdelay,   acctstopdelay,    xascendsessionsvrkey)           VALU                                                                                    ES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',                                                                                                  '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}',                                                                                     '%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,                                                                                                  '0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0', '0',                                                                                                  '%{Called-Station-Id}', '%{Calling-Station-Id}', '',                                                                                                  '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',                                                                                        
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[exec] returns noop
++[replicate] returns noop
[attr_filter.accounting_response]       expand: %{User-Name} -> test2
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
# Executing section pre-proxy from file /usr/local/etc/raddb/sites-enable                                                                                    d/default
+- entering group pre-proxy {...}
++[files] returns noop
[pre_proxy_log]         expand: /var/log/radius/radacct/%{Client-IP-Addre                                                                                    ss}/pre-proxy-detail-%Y%m%d -> /var/log/radius/radacct/135.243.68.36/pre-                                                                                    proxy-detail-20120402
[pre_proxy_log] /var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-de                                                                                    tail-%Y%m%d expands to /var/log/radius/radacct/135.243.68.36/pre-proxy-de                                                                                    tail-20120402
[pre_proxy_log]         expand: %t -> Mon Apr  2 08:21:05 2012
++[pre_proxy_log] returns ok
>>> Sending proxied request internally to virtual server.
server virtualserver {
# Executing section preacct from file /usr/local/etc/raddb/sites-availabl                                                                                    e/default2
+- entering group preacct {...}
[preprocess]   hints: Matched DEFAULT at 85
[preprocess] sql_xlat
[preprocess]    expand: %{User-Name} -> test2
[preprocess] sql_set_user escaped user --> 'test2'
[preprocess]    expand: SELECT id from deneme limit 1 -> SELECT id from d                                                                                    eneme limit 1
rlm_sql (sql): Reserving sql socket id: 1
[preprocess] sql_xlat finished
rlm_sql (sql): Released sql socket id: 1
[preprocess]    expand: %{sql:SELECT id from deneme limit 1} -> 5
[preprocess] sql_xlat
[preprocess]    expand: %{User-Name} -> test2
[preprocess] sql_set_user escaped user --> 'test2'
[preprocess]    expand: SELECT id from deneme limit 1 -> SELECT id from d                                                                                    eneme limit 1
rlm_sql (sql): Reserving sql socket id: 0
[preprocess] sql_xlat finished
rlm_sql (sql): Released sql socket id: 0
[preprocess]    expand: %{sql:SELECT id from deneme limit 1} -> 5
++[preprocess] returns ok
++[control] returns ok
++[acct_unique] returns noop
[suffix] No '@' in User-Name = "test2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
# Executing section accounting from file /usr/local/etc/raddb/sites-avail                                                                                    able/default2
+- entering group accounting {...}
[detail]        expand: %{Packet-Src-IP-Address} -> 135.243.68.36
[detail]        expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address                                                                                    }:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/1                                                                                    35.243.68.36/detail-20120402
[detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src                                                                                    -IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/135.243.                                                                                    68.36/detail-20120402
[detail]        expand: %t -> Mon Apr  2 08:21:05 2012
++[detail] returns ok
++[unix] returns ok
[radutmp]       expand: /var/log/radius/radutmp -> /var/log/radius/radutm                                                                                    p
[radutmp]       expand: %{User-Name} -> test2
rlm_radutmp: Login entry for NAS 135.243.90.68 port 1 duplicate
++[radutmp] returns ok
[sql]   expand: %{User-Name} -> test2
[sql] sql_set_user escaped user --> 'test2'
[sql]   expand: %{Acct-Delay-Time} -> 5
[sql]   expand:            INSERT INTO radacct             (acctsessionid                                                                                    ,    acctuniqueid,     username,              realm,            nasipaddr                                                                                    ess,     nasportid,              nasporttype,      acctstarttime,    acct                                                                                    stoptime,              acctsessiontime,  acctauthentic,    connectinfo_st                                                                                    art,              connectinfo_stop, acctinputoctets,  acctoutputoctets,                                                                                                  calledstationid,  callingstationid, acctterminatecause,                                                                                                  servicetype,      framedprotocol,   framedipaddress,                                                                                                  acctstartdelay,   acctstopdelay,    xascendsessionsvrkey)           VALU                                                                                    ES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',                                                                                                  '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}',                                                                                     '%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,                                                                                                  '0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0', '0',                                                                                                  '%{Called-Station-Id}', '%{Calling-Station-Id}', '',                                                                                                  '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',                                                                                        
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[exec] returns noop
++[replicate] returns noop
[attr_filter.accounting_response]       expand: %{User-Name} -> test2
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
} # server virtualserver
Going to the next request
<<< Received proxied response code 0 from internal virtual server.
# Executing section post-proxy from file /usr/local/etc/raddb/sites-enabl                                                                                    ed/default
+- entering group post-proxy {...}
[post_proxy_log]        expand: /var/log/radius/radacct/%{Client-IP-Addre                                                                                    ss}/post-proxy-detail-%Y%m%d -> /var/log/radius/radacct/135.243.68.36/pos                                                                                    t-proxy-detail-20120402
[post_proxy_log] /var/log/radius/radacct/%{Client-IP-Address}/post-proxy-                                                                                    detail-%Y%m%d expands to /var/log/radius/radacct/135.243.68.36/post-proxy                                                                                    -detail-20120402
[post_proxy_log]        expand: %t -> Mon Apr  2 08:21:05 2012
[post_proxy_log] Freeradius-Proxied-To = ??
++[post_proxy_log] returns ok
[eap] No pre-existing handler found
Segmentation fault

| Threaded
Open this post in threaded view
|

Re: Proxy + copy accounting to passive home server

Alan DeKok-2
mimir wrote:
> But when I tried it I got segmentation fault.
...
> [eap] No pre-existing handler found
> Segmentation fault

  See doc/bugs

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Moving included conf files to virtualhost..

morocon
In reply to this post by mimir
Hi,

i just wonder if it is possible to move included conf files from
radiusd.conf to virtualhosts ?

I mean , is it possible to place the client.conf and sql.conf into a
virtual host instead of radiusd.conf... And so to have a diferent one
pending on called virtualhost ..

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Moving included conf files to virtualhost..

Fajar A. Nugraha-2
On Mon, Apr 2, 2012 at 7:56 PM, yzy-oui-fi <[hidden email]> wrote:
> Hi,
>
> i just wonder if it is possible to move included conf files from
> radiusd.conf to virtualhosts ?

I don't think so.

>
> I mean , is it possible to place the client.conf and sql.conf into a
> virtual host instead of radiusd.conf... And so to have a diferent one
> pending on called virtualhost ..

The best work around I can think of is just to create multiple
instances of that module, with different name and configurations.

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Moving included conf files to virtualhost..

mimir
In reply to this post by morocon
Can you please share docs links? I only check configuration files comments.
I could not find any detailed docs for configurations, or my account do not have access?
| Threaded
Open this post in threaded view
|

Re: Moving included conf files to virtualhost..

mimir
One more question.. is it possible to replicate to virtual hosts?

I tried but get following error:

[replicate] ERROR: Failed opening socket: cannot open socket: Address family

My aim is first replicate the acct packets to virtual hosts then proxy it.
12