Issues with building Freeradius on CentOS 6.5: need rlm_cache

Brandon Jozsa bjozsa at gmail.com
Sat Jun 14 20:53:07 CEST 2014


Ok, so now that I have this working...rlm_cache is loading just fine, but I
think I may be making an error (based on what I want to achieve anyway).
I've taken information from the article
http://wiki.freeradius.org/modules/Rlm_cache#Two-call-caching, and i see
the cache working, but is it in the wrong place?

My hope was that if the user doesn't exist in sql (which "tester" doesn't)
then forward. When you get a response, cache these attributes (user
account, authZ privileges, etc) back into the sql database. I don't see any
updates to the radcheck table, but I'm not 100% sure if that's where it
should go. Sorry for being slow here...can anyone help, or do I have this
wrong? I'm probably missing something easy here or just getting the
formatting wrong.

output (i can give more if necessary):

[sql] User tester not found
+++[sql] = notfound
++} # if (notfound) = notfound
++update control {
++} # update control = noop
[cache] expand: %{User-Name} -> tester
[cache] expand: reply:Reply-Message -> reply:Reply-Message
[cache] expand: Cache last updated at %t -> Cache last updated at Fri Jun
13 16:41:10 2014
[cache] expand: ssssssssssssssssssssssssssssssss ->
ssssssssssssssssssssssssssssssss
[cache] expand: %{randstr:ssssssssssssssssssssssssssssssss} ->
gcEKJNqJQcCe4J4qSRlEciZ7DYDhJW7e
rlm_cache: Adding entry for "tester", with TTL of 10
++[cache] = updated
+} # group authorize = updated
  WARNING: Empty pre-proxy section.  Using default return values.
Sending Access-Request of id 182 to 192.168.1.35 port 1812
User-Name = "tester"
User-Password = "suckit"
NAS-IP-Address = 192.168.1.136
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x313133
Proxying request 0 to home server 192.168.1.35 port 1812
Sending Access-Request of id 182 to 192.168.1.35 port 1812
User-Name = "tester"
User-Password = "suckit"
NAS-IP-Address = 192.168.1.136
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x313133
Going to the next request
Waking up in 0.9 seconds.
Waking up in 19.0 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 42674, id=113,
length=76
Sending duplicate proxied request to home server 192.168.1.35 port 1812 -
ID: 182
Sending Access-Request of id 182 to 192.168.1.35 port 1812
User-Name = "tester"
User-Password = "suckit"
NAS-IP-Address = 192.168.1.136
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x313133
Waking up in 14.9 seconds.
rad_recv: Access-Accept packet from host 192.168.1.35 port 1812, id=182,
length=25
Proxy-State = 0x313133

The config under authorize section:
############ CUSTOM AUTHORIZE STATEMENTS ############
        if (!notfound) {
                update control {
                Proxy-To-Realm := "DARTH_RSA"
                }
        }
############ CUSTOM CACHING REQUIREMENTS ############
        update control {
                Cache-Status-Only = 'yes'
        }
        cache
        if (notfound) {
                sql
        }
        update control {
                Cache-Status-Only := 'no'
        }
        cache
############ CUSTOM AUTHORIZE STATEMENTS ############


On Thu, Jun 12, 2014 at 11:50 PM, Brandon Jozsa <bjozsa at gmail.com> wrote:

> Hello,
>
> I've been trying to work through the issues and by searching high and low
> for solutions before turning to this users list. I'm sorry if this is a
> stupid question (I've seen worse though, so maybe I shouldn't feel bad).
>
> I have a very high need to use the rlm_cache module with Freeradius on
> CentOS 6.5. I'm trying to first us the statement:
>
> ----- snipped -----
>
> authorize {
>         if (!notfound) {
>                 update control {
>                 Proxy-To-Realm := "SOME_REALM"
>                 }
>         }
> ----- snipped -----
>
> which works GREAT alone...but I also want to use the cache function like
> so:
>
> ----- snipped -----
>         update control {
>                 Cache-Status-Only = 'yes'
>         }
>         cache
>         if (notfound) {
>                 sql
>         }
>         update control {
>                 Cache-Status-Only := 'no'
>         }
>         cache
>
> ----- snipped -----
>
> which doesn't work (obviously) because rlm_cache isn't included with
> 2.1.12, or so it seems anyway.
>
> My hope is (it is a hope anyway) that I can collect authN/authZ replies
> from an upstream radius server and cache them locally; thus building a
> mysql database of users access/privileges and let this run on an
> environment before cutting completely over to our new Freeradius setup.
> Again, I'm hoping it can work like this...getting rid of RSA and using
> LinOTP or MOTP would be so nice; it would be more flexible and user
> friendly, but I really need to collect authN and authZ in order to rebuild
> our massive user-base.
>
> My issue...CentOS, which is our "approved platform" (I'm rolling my eyes
> and giving air quotes), doesn't have a newer version of Freeradius other
> than 2.1.12. I think the rlm_cache modules are only included in 3.0.0 and
> higher, is that right?
>
> So, I started looking on how to build from source...and I found one; great
> news I thought!! Enter:
> http://confluence.diamond.ac.uk/display/PAAUTH/FreeRADIUS+specs+and+sources+for+CentOS+6.
> I thought this would save the day, but there are broken links for 3.0.0 and
> I am running into major issues; it just doesn't seem to work at all. I also
> tried to build it out, take the rlm_cache.so lib over to my 2.1.12
> installation, but Freeradius barfed all over that little trick.
>
> What are my options here? I could really use some help. Any ideas?
>
> --
> Brandon
>



-- 
Brandon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140614/8bfb595d/attachment-0001.html>


More information about the Freeradius-Users mailing list