accounting to multiple servers

classic Classic list List threaded Threaded
11 messages Options
| Threaded
Open this post in threaded view
|

accounting to multiple servers

nicolas.ciuffolotti
Hi
Thank you in advance for your help.
I am trying to create 2 servers with freeradius. I have 5 NAS and I
configure the 2 radius in each one but different order, example:
NAS 1 ---> radius A; radius B
NAS 2 ---> radius B; radius A
...
I have the problem with accounting, START and STOP in any radius server.
What is the best configuration so that the files details of both servers
contain the same?
Is there a how to do the configuration?
Thanks for the answers
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: accounting to multiple servers

Alan DeKok-2


> On Oct 29, 2020, at 9:14 AM, Nicolás Ciuffolotti <[hidden email]> wrote:
>
> Hi
> Thank you in advance for your help.
> I am trying to create 2 servers with freeradius. I have 5 NAS and I
> configure the 2 radius in each one but different order, example:
> NAS 1 ---> radius A; radius B
> NAS 2 ---> radius B; radius A
> ...
> I have the problem with accounting, START and STOP in any radius server.
> What is the best configuration so that the files details of both servers
> contain the same?

  Copy the RADIUS packets from each server to the other one.

> Is there a how to do the configuration?

  sites-available/copy-acct-to-home-server

  Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: accounting to multiple servers

nicolas.ciuffolotti
Thanks for reply...

proxy.conf is necessary configurate the realms, home_server_pool, and
home_server for that work?

I didn't found an example, and just need that content the files details is
in two servers.

Thanks again...

On Thu, Oct 29, 2020 at 10:18 AM Alan DeKok <[hidden email]>
wrote:

>
>
> > On Oct 29, 2020, at 9:14 AM, Nicolás Ciuffolotti <
> [hidden email]> wrote:
> >
> > Hi
> > Thank you in advance for your help.
> > I am trying to create 2 servers with freeradius. I have 5 NAS and I
> > configure the 2 radius in each one but different order, example:
> > NAS 1 ---> radius A; radius B
> > NAS 2 ---> radius B; radius A
> > ...
> > I have the problem with accounting, START and STOP in any radius server.
> > What is the best configuration so that the files details of both servers
> > contain the same?
>
>   Copy the RADIUS packets from each server to the other one.
>
> > Is there a how to do the configuration?
>
>   sites-available/copy-acct-to-home-server
>
>   Alan DeKok.
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: accounting to multiple servers

Alan DeKok-2
On Oct 29, 2020, at 1:46 PM, Nicolás Ciuffolotti <[hidden email]> wrote:
>
> proxy.conf is necessary configurate the realms, home_server_pool, and
> home_server for that work?

  Yes.  Just add a "home_server" which points to the other server:

home_server other {
        ... ipaddr, secret, etc.
}

> I didn't found an example, and just need that content the files details is
> in two servers.

  You can edit sites-available/copy-acct-to-home-server.  In the "preacct" section remove the "suffix", "ntdomain", etc., and add:

                update control {
                        Home-Server-Name := "other"
                }

  It should then work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: accounting to multiple servers

nicolas.ciuffolotti
Hi Alan
I appreciate for your help.
I have a problem.
When I put in debug mode:
Debug: detail
(/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d):
Polling for detail file
Debug: detail
(/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d):
Detail listener state unopened

My copy-acct-to-home-server file:
server copy-acct-to-home-server {
        listen {
                type = detail
                filename =
${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
               preacct {
               update control {
                         &Proxy-To-Realm := "elektra.ctsma02.com.ar"
                }
        }
        accounting {
                   ok
        }

and proxy.conf file:

home_server elektra.ctsma02.com.ar {
        type = acct
        ipaddr = 192.168.9.20
        port = 1813
        secret = ####
}

I have never used copy-acct-to-home-server and proxy, but I just need the
files details of both servers contain the same.

I will appreciate very much.

On Thu, Oct 29, 2020 at 3:09 PM Alan DeKok <[hidden email]>
wrote:

> On Oct 29, 2020, at 1:46 PM, Nicolás Ciuffolotti <
> [hidden email]> wrote:
> >
> > proxy.conf is necessary configurate the realms, home_server_pool, and
> > home_server for that work?
>
>   Yes.  Just add a "home_server" which points to the other server:
>
> home_server other {
>         ... ipaddr, secret, etc.
> }
>
> > I didn't found an example, and just need that content the files details
> is
> > in two servers.
>
>   You can edit sites-available/copy-acct-to-home-server.  In the "preacct"
> section remove the "suffix", "ntdomain", etc., and add:
>
>                 update control {
>                         Home-Server-Name := "other"
>                 }
>
>   It should then work.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: accounting to multiple servers

Alan DeKok-2
On Nov 19, 2020, at 1:44 PM, Nicolás Ciuffolotti <[hidden email]> wrote:
> My copy-acct-to-home-server file:
> server copy-acct-to-home-server {
>        listen {
>                type = detail
>                filename =
> ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d

  No.

  That is the filename use by the detail module to *write* detail files.  You can't copy it to the detail file reader.

  Why?  Because the expansions %{Packet-Src-IP-Address} etc. are done when the detail file is being written.  There are no such expansions when it's being read.  Because where would that information come from?  You haven't read the detail file yet!

  Instead, read the comments in the file you edited.  Use file blobbing, i.e. wildcards:

        filename = ${radacctdir}/*/detail-*

  But generally you don't want multiple directories when using the detail file reader.  See the comments in mods-available/detail

  Configure the detail module:

        filename = ${radacctdir}/copy/detail-%Y%m%d

  And then configure the reader:

        filename = ${radacctdir}/copy/detail-*

  And it will work.

  Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: accounting to multiple servers

nicolas.ciuffolotti
Hi Alan
Sorry, really embarrassed, but in debug mode I have an error:

ERROR: (0) Cannot proxy to unknown realm elektra.ctsma02.com.ar
Debug: (0) detail (/var/log/radius/radacct/copy/detail-*): No response to
request.  Will retry in 30 seconds


Again

My copy-acct-to-home-server file:
server copy-acct-to-home-server {
        listen {
                type = detail
                filename = ${radacctdir}/copy/detail-%Y%m%d
               preacct {
               update control {
                         *&Proxy-To-Realm* := "elektra.ctsma02.com.ar"
                }
        }
        accounting {
                   ok
        }

and proxy.conf file:

home_server elektra.ctsma02.com.ar {
        type = acct
        ipaddr = 192.168.9.20
        port = 1813
        secret = ####
}

There is something that I cannot understand well.

On Thu, Nov 19, 2020 at 4:34 PM Alan DeKok <[hidden email]>
wrote:

> On Nov 19, 2020, at 1:44 PM, Nicolás Ciuffolotti <
> [hidden email]> wrote:
> > My copy-acct-to-home-server file:
> > server copy-acct-to-home-server {
> >        listen {
> >                type = detail
> >                filename =
> >
> ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
>
>   No.
>
>   That is the filename use by the detail module to *write* detail files.
> You can't copy it to the detail file reader.
>
>   Why?  Because the expansions %{Packet-Src-IP-Address} etc. are done when
> the detail file is being written.  There are no such expansions when it's
> being read.  Because where would that information come from?  You haven't
> read the detail file yet!
>
>   Instead, read the comments in the file you edited.  Use file blobbing,
> i.e. wildcards:
>
>         filename = ${radacctdir}/*/detail-*
>
>   But generally you don't want multiple directories when using the detail
> file reader.  See the comments in mods-available/detail
>
>   Configure the detail module:
>
>         filename = ${radacctdir}/copy/detail-%Y%m%d
>
>   And then configure the reader:
>
>         filename = ${radacctdir}/copy/detail-*
>
>   And it will work.
>
>   Alan DeKok.
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: accounting to multiple servers

Alan DeKok-2
On Nov 20, 2020, at 10:04 AM, Nicolás Ciuffolotti <[hidden email]> wrote:
> ]\
> Sorry, really embarrassed, but in debug mode I have an error:
>
> ERROR: (0) Cannot proxy to unknown realm elektra.ctsma02.com.ar

  Add it as a realm to proxy.conf?

> and proxy.conf file:
>
> home_server elektra.ctsma02.com.ar {

  "home server" is not "realm".

  This is very much documented in the "proxy.conf" file.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: accounting to multiple servers

nicolas.ciuffolotti
Sorry my mistake, I did not pass all the config
proxy.conf
home_server elektra {
        type = acct
        ipaddr = 192.168.9.20
        port = 1812
        secret = kari
}
home_server_pool elektra_pool {
        type = fail-over
        home_server = elektra
}
realm elektra {
        acct_pool = elektra_pool
}

copy-acct-to-home-server file:

update control {
                         &Proxy-To-Realm :="elektra"
                }

Just I need to configure that a server (primary, secondary) to send copies
of the accounting information to each other.
I understand the copy-acct-to-home-server does this, but I have issues

Proxy: Marking home server 192.168.9.20 port 1812 as zombie (it has not
responded in 30.000000 seconds).
ERROR: (11) Failing proxied request for user "xxx", due to lack of any
response from home server 192.168.9.20 port 1812
ERROR: (11) Failed to find live home server: Cancelling proxy
Debug: (11) detail (/var/log/radius/radacct/copy/detail-*): No response to
request.  Will retry in 30 seconds

On Fri, Nov 20, 2020 at 12:09 PM Alan DeKok <[hidden email]>
wrote:

> On Nov 20, 2020, at 10:04 AM, Nicolás Ciuffolotti <
> [hidden email]> wrote:
> > ]\
> > Sorry, really embarrassed, but in debug mode I have an error:
> >
> > ERROR: (0) Cannot proxy to unknown realm elektra.ctsma02.com.ar
>
>   Add it as a realm to proxy.conf?
>
> > and proxy.conf file:
> >
> > home_server elektra.ctsma02.com.ar {
>
>   "home server" is not "realm".
>
>   This is very much documented in the "proxy.conf" file.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: accounting to multiple servers

Alan DeKok-2
On Nov 20, 2020, at 12:07 PM, Nicolás Ciuffolotti <[hidden email]> wrote:
>
> Sorry my mistake, I did not pass all the config

  We generally don't need to see the configuration.  We need to see the debug output.

  We also need people to pay careful attention to what they're doing.  In this case, you were proxying to a realm that didn't exist.  Instead of checking proxy.conf, you just gave up and asked the list what was wrong.  That means you want *us* to do work you're not willing to do.  This is not polite.

> copy-acct-to-home-server file:
>
> update control {
>                         &Proxy-To-Realm :="elektra"
>                }

  Yes... proxying to a KNOWN REALM is a good idea.

> Just I need to configure that a server (primary, secondary) to send copies
> of the accounting information to each other.
> I understand the copy-acct-to-home-server does this, but I have issues
>
> Proxy: Marking home server 192.168.9.20 port 1812 as zombie (it has not
> responded in 30.000000 seconds).
> ERROR: (11) Failing proxied request for user "xxx", due to lack of any
> response from home server 192.168.9.20 port 1812
> ERROR: (11) Failed to find live home server: Cancelling proxy
> Debug: (11) detail (/var/log/radius/radacct/copy/detail-*): No response to
> request.  Will retry in 30 seconds

  What part of that is unclear?  The home server isn't responding.

  How do you expect *us* to fix that issue?  What can *we* do to make the home server respond?

  What needs to happen is that YOU need to track down why the home server isn't responding.  This involves you doing work, and understanding the pieces involved.  i.e. where packets go, what the RADIUS server does, etc.  It could even involve looking at the DEBUG OUTPUT on the home server to see if it receives packets, and what it does with them.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: accounting to multiple servers

nicolas.ciuffolotti
Sorry, it's clearly not my idea for someone to do the work for me. Again I
apologize and understand that it is not respectful.
Obviously I have an error in the configuration.
Thanks, and I promise to check my configuration and debug before sending to
the list.

On Fri, Nov 20, 2020 at 2:35 PM Alan DeKok <[hidden email]>
wrote:

> On Nov 20, 2020, at 12:07 PM, Nicolás Ciuffolotti <
> [hidden email]> wrote:
> >
> > Sorry my mistake, I did not pass all the config
>
>   We generally don't need to see the configuration.  We need to see the
> debug output.
>
>   We also need people to pay careful attention to what they're doing.  In
> this case, you were proxying to a realm that didn't exist.  Instead of
> checking proxy.conf, you just gave up and asked the list what was wrong.
> That means you want *us* to do work you're not willing to do.  This is not
> polite.
>
> > copy-acct-to-home-server file:
> >
> > update control {
> >                         &Proxy-To-Realm :="elektra"
> >                }
>
>   Yes... proxying to a KNOWN REALM is a good idea.
>
> > Just I need to configure that a server (primary, secondary) to send
> copies
> > of the accounting information to each other.
> > I understand the copy-acct-to-home-server does this, but I have issues
> >
> > Proxy: Marking home server 192.168.9.20 port 1812 as zombie (it has not
> > responded in 30.000000 seconds).
> > ERROR: (11) Failing proxied request for user "xxx", due to lack of any
> > response from home server 192.168.9.20 port 1812
> > ERROR: (11) Failed to find live home server: Cancelling proxy
> > Debug: (11) detail (/var/log/radius/radacct/copy/detail-*): No response
> to
> > request.  Will retry in 30 seconds
>
>   What part of that is unclear?  The home server isn't responding.
>
>   How do you expect *us* to fix that issue?  What can *we* do to make the
> home server respond?
>
>   What needs to happen is that YOU need to track down why the home server
> isn't responding.  This involves you doing work, and understanding the
> pieces involved.  i.e. where packets go, what the RADIUS server does, etc.
> It could even involve looking at the DEBUG OUTPUT on the home server to see
> if it receives packets, and what it does with them.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html