Proxy realms and home_server_pool fallback not working

Peter Lambrechtsen peter at crypt.co.nz
Tue Mar 8 10:24:08 CET 2016 

On Tue, Mar 8, 2016 at 3:04 AM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Mar 7, 2016, at 3:22 AM, Peter Lambrechtsen <peter at crypt.co.nz> wrote:
> > Yes, I have figured that out. I'm now pinging all our downstream radius
> > clients to see which respond to something sane when sent a Status, and
> then
> > turning on Status server for them.
>
>   Or just send Access-Request with a fake username "thisismejusttesting".
> They'll respond with an Access-Reject, which is good enough to determine
> that they're alive.
>
> > What could I do in Post-Proxy-Type?
>
>   Anything you can do anywhere else.
>
>   The fallback virtual server is just there for ease of use.  But... it
> complicates the proxy handling, as you've seen.  A simpler approach is to
> put all of the "unlang" handling into... unlang.  And not into the proxy
> code.
>
> > As I can't call the virtual server,
>
>   We'll fix that for 3.2.
>
> > and
> > Proxy-To-Realm doesn't proxy to a new destination nor does setting the
> > control to accept.
>
>   The home server pools should take care of fail-over to another home
> server.  But yes, once the whole pool has failed... you can't send the
> packet to a different destination.  That's what home server pools are for...
>
> > There doesn't seem to be a way to turn a Reject from a
> > failed proxy request back into an Accept.
>
>   A failed proxy request is not really a reject... it's just a failed
> request.  And you can force it to be an Access-Accept via Post-Proxy-Type
> Fail:
>
> post-proxy {
>         ...
>
>         Post-Proxy-Type Fail-Authentication {
>                 update control {
>                         Response-Packet-Type := Access-Accept
>                 }
>
>         }
>         ...
> }
>
>
This doesn't seem to work in 3.0.x head, I will test it on 3.1.x tomorrow.

(0) ERROR: Failing proxied request for user "peter", due to lack of any
response from home server 192.168.1.113 port 1812
(0) Clearing existing &reply: attributes
(0) Found Post-Proxy-Type Fail-Authentication
(0) # Executing group from file ./sites-enabled/default
(0)   Post-Proxy-Type Fail-Authentication {
(0)     update control {
(0)       Response-Packet-Type := Access-Accept
(0)     } # update control = noop
(0)     policy accept {
(0)       update control {
(0)         &Response-Packet-Type = Access-Accept
(0)       } # update control = noop
(0)       [handled] = handled
(0)     } # policy accept = handled
(0)   } # Post-Proxy-Type Fail-Authentication = handled
(0) There was no response configured: rejecting request   <- How do I
configure a response?
(0) Using Post-Auth-Type Reject
(0) # Executing group from file ./sites-enabled/default
(0)   Post-Auth-Type REJECT {


  We'll work on simplifying that for 3.2, also.
>
> > Thanks for all your help on this, the fail-over with the second server
> > being the virtual seems to work well, just means I am restricted to a
> > single server and can't use load-balance. But having this config would be
> > my ideal:
> >
> > home_server_pool ProxyDestPool {
> >        type = load-balance
> >        home_server = ProxyDest1
> >        home_server = ProxyDest2
> >        home_server = ProxyDest3
> >        fallback = cacheuser
> > }
>
>   That works for me.  When all home servers in a "load-balance" pool are
> down, it uses the fallback virtual server:
>
> (0)   } # authorize = updated
> Home server pool example.net failing over to fallback example.net
> Proxying to virtual server example.net


I think this must work in 3.1 as it doesn't work for me in 3.0.x head from
last week, as I just tried this and fallback didn't seem to get applied at
all.

I'll test 3.1 head tomorrow morning.

More information about the Freeradius-Users mailing list