Reporting from logs

Phil Mayers p.mayers at imperial.ac.uk
Tue Sep 25 17:28:56 CEST 2012


On 25/09/12 15:34, Matthew Newton wrote:
> Hi,
>
> On Tue, Sep 25, 2012 at 03:00:26PM +0100, Phil Mayers wrote:
>> On 25/09/12 14:39, Matthew Newton wrote:
>> How do you relay post-auth? That's one of the main reasons we still
>> use rlm_sql_log, as opposed to the built in "detail" listener.
>
> Pure total hackery.
>
> linelog can include '\n' in the output so can simlulate the detail
> module for given attributes. The relayed auth packets are sent on
> the wire as acct packets...

You, sir, win a prize! That's simultaneously clever and vile. I'm 
disappointed I didn't think of it!

> My reason for avoiding SQL was because I didn't want an SQL
> problem to slow down or stop the main RADIUS servers, either in
> the event of database failure, or just database slowness. Writing

Absolutely. Writing to an intermediate non-blocking location is, IMO, 
essential at any scale.

We started with rlm_sql_log back in the 1.1.x days. We needed to 
replicate post-auth as well as accounting packets, because some of our 
NASes [some switches doing mac-auth] don't generate accounting - just 
re-auth ever half hour. We simulate an accounting update-or-insert on 
the central SQL server using a trigger for these devices.

I almost wonder if an "rlm_inject" might not be generally useful; in 
particular, we could generate our simulated accounting internally to the 
radius servers, rather than via an SQL procedure:

modules {
   inject fake_acct {
     type = acct
     virtual_server = blah
     attrs = {
       Acct-Status-Type = "%{...}"
     }
   }
}

server blah {
   accounting {
     # something else reads/relays the detail file
     detail
   }
   post-auth {
     if (Crappy-NAS) {
       fake_acct
     }
   }
}

Doesn't look hard; maybe I'll take a look at it.


More information about the Freeradius-Users mailing list