Freeraadius stale sessions (no SQL scenario)

Roman romeo.r at gmail.com
Fri Nov 4 09:20:31 CET 2016 

2016-11-04 9:33 GMT+02:00 Roman <romeo.r at gmail.com>:

>
>
> 2016-11-03 17:31 GMT+02:00 Alan DeKok <aland at deployingradius.com>:
>
>>
>> > On Nov 3, 2016, at 7:18 AM, Roman <romeo.r at gmail.com> wrote:
>> > Sometimes I do some networking downtimes and during these periods I'm
>> > getting pretty much stale sessions in radwho output. I understand why it
>> > happens, but all I want to do is to clear them automatically, when user
>> > logs in.
>> >
>> > So what I've done is added this line:
>> >
>> >   *exec("/usr/bin/radzap", "-u", $ARGV[3], "127.0.0.1", "secret");*
>> >
>> > to this part of checkrad code for mikrotik sub.
>>
>>   Please don't do that.  It's not necessary.
>
>
>>   The purpose of checkrad is to tell the server if the session is still
>> up.  If it isn't the server will automatically create a "zap" packet, and
>> remove the session.
>>
>
> Thanks for an answer. But it seems like it is not. If I stop freeradius
> and disconnect the user from NAS/PPPoE server manually, start the
> freeradius server and user connects, Freeradius just freezes and there are
> some logs like these:
>
> Fri Nov  4 09:22:22 2016 : Error: (0) Ignoring duplicate packet from
> client cli-ter1-lo0 port 52896 - ID: 181 due to unfinished request in
> component session module radutmp
> Fri Nov  4 09:22:30 2016 : Error: (0) Ignoring duplicate packet from
> client cli-ter1-lo0 port 52896 - ID: 181 due to unfinished request in
> component session module radutmp
> Fri Nov  4 09:22:37 2016 : Error: (1) Ignoring duplicate packet from
> client cli-ter1-lo0 port 33336 - ID: 182 due to unfinished request in
> component session module radutmp
> Fri Nov  4 09:22:45 2016 : Error: (1) Ignoring duplicate packet from
> client cli-ter1-lo0 port 33336 - ID: 182 due to unfinished request in
> component session module radutmp
> Fri Nov  4 09:22:47 2016 : Error: Unresponsive child for request 0, in
> component session module radutmp
>
> If I run it in debug mode, these are the last lines:
>
> Ready to process requests
> (0) Received Access-Request Id 192 from IP:44964 to IP:1812 length 150
> (0)   Service-Type = Framed-User
> (0)   Framed-Protocol = PPP
> (0)   NAS-Port = 15729029
> (0)   NAS-Port-Type = Ethernet
> (0)   User-Name = "tt23kswp17"
> (0)   Calling-Station-Id = "00:A0:C5:3F:13:2D"
> (0)   Called-Station-Id = "cli-ter1"
> (0)   NAS-Port-Id = "Eth7-PPPoE"
> (0)   CHAP-Challenge = 0xd2cd740b875babcdc257988ee1c00466
> (0)   CHAP-Password = 0x01f43d52627cb7db7466e0a2959d3cfea5
> (0)   NAS-Identifier = "cli-ter1"
> (0)   NAS-IP-Address = IP
> (0) # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> (0)   authorize {
> (0)     policy filter_username {
> (0)       if (&User-Name) {
> (0)       if (&User-Name)  -> TRUE
> (0)       if (&User-Name)  {
> (0)         if (&User-Name =~ / /) {
> (0)         if (&User-Name =~ / /)  -> FALSE
> (0)         if (&User-Name =~ /@[^@]*@/ ) {
> (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (0)         if (&User-Name =~ /\.\./ ) {
> (0)         if (&User-Name =~ /\.\./ )  -> FALSE
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (0)         if (&User-Name =~ /\.$/)  {
> (0)         if (&User-Name =~ /\.$/)   -> FALSE
> (0)         if (&User-Name =~ /@\./)  {
> (0)         if (&User-Name =~ /@\./)   -> FALSE
> (0)       } # if (&User-Name)  = notfound
> (0)     } # policy filter_username = notfound
> (0)     [preprocess] = ok
> (0) auth_log: EXPAND /var/log/freeradius/radacct/%{
> %{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> (0) auth_log:    --> /var/log/freeradius/radacct/IP/auth-detail-20161104
> (0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to
> /var/log/freeradius/radacct/IP2/auth-detail-20161104
> (0) auth_log: EXPAND %t
> (0) auth_log:    --> Fri Nov  4 09:24:57 2016
> (0)     [auth_log] = ok
> (0) chap:   &control:Auth-Type := CHAP
> (0)     [chap] = ok
> (0)     [mschap] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "tt23kswp17", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0)     [suffix] = noop
> (0) files: users: Matched entry tt23kswp17 at line 107
> (0)     [files] = ok
> (0)     [expiration] = noop
> (0)     [logintime] = noop
> (0)   } # authorize = ok
> (0) Found Auth-Type = CHAP
> (0) # Executing group from file /etc/freeradius/sites-enabled/default
> (0)   Auth-Type CHAP {
> (0) chap: Comparing with "known good" Cleartext-Password
> (0) chap: CHAP user "tt23kswp17" authenticated successfully
> (0)     [chap] = ok
> (0)   } # Auth-Type CHAP = ok
> (0) # Executing section session from file /etc/freeradius/sites-enabled/
> default
> (0)   session {
> (0) radutmp: EXPAND /var/log/freeradius/radutmp
> (0) radutmp:    --> /var/log/freeradius/radutmp
> (0) radutmp: EXPAND %{User-Name}
> (0) radutmp:    --> tt23kswp17
> (0) # Executing section preacct from file /etc/freeradius/sites-enabled/
> default
> (0)   preacct {
> (0)     [preprocess] = ok
> (0)     policy acct_unique {
> (0)       if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
> (0)       EXPAND %{string:Class}
> (0)          -->
> (0)       if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i)  -> FALSE
> (0)       else {
> (0)         update request {
> (0)           EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-
> Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
> (0)              --> 97445737b73ef01afe83c8b742ef8bdb
> (0)           &Acct-Unique-Session-Id := 97445737b73ef01afe83c8b742ef8bdb
> (0)         } # update request = noop
> (0)       } # else = noop
> (0)     } # policy acct_unique = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "tt23kswp17", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0)     [suffix] = noop
> (0)     [files] = noop
> (0)   } # preacct = ok
> (0) # Executing section accounting from file /etc/freeradius/sites-enabled/
> default
> (0)   accounting {
> (0) detail: EXPAND /var/log/freeradius/radacct/%{
> %{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
> (0) detail:    --> /var/log/freeradius/radacct/IP/detail-20161104
> (0) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to
> /var/log/freeradius/radacct/IP/detail-20161104
> (0) detail: EXPAND %t
> (0) detail:    --> Fri Nov  4 09:24:57 2016
> (0)     [detail] = ok
> (0)     [unix] = ok
>
> and the mikrotik_snmp sub part is here:
>
> sub mikrotik_snmp {
>
>   # Set SNMP version
>   # MikroTik only supports version 1
>   $snmp_version = "1";
>
>   # Look up community string in naspasswd file.
>   ($login, $password) = naspasswd($ARGV[1], 1);
>   if ($login && $login ne 'SNMP') {
>     if($debug) {
>       print LOG "Error: Need SNMP community string for $ARGV[1]\n";
>     }
>     return 2;
>   } else {
>   # If password is defined in naspasswd file, use it as community,
>   # otherwise use $cmmty_string
>     if ($password eq '') {
>       $password = "$cmmty_string";
>     }
>   }
>
>   # We want interface descriptions
>   $oid = "ifDescr";
>
>   # Mikrotik doesnt give port IDs correctly to RADIUS :(
>   # practically this would limit us to a simple only-one user limit for
>   # this script to work properly.
>   @output = snmpwalk_prog($ARGV[1], $password, "$oid");
>
>   foreach $line ( @output ) {
>     #remove newline
>     chomp $line;
>     #remove trailing whitespace
>     ($line = $line) =~ s/\s+$//;
>     if( $line =~ /<.*-$ARGV[3]>/ ) {
>       $username_seen++;
>     }
>   }
>    #lets return something
>   if ($username_seen > 0) {
>     return 1;
>   } else {
>     return 0;
>   }
> }
>
>
> Version:
> radiusd: FreeRADIUS Version 3.0.11, for host x86_64-pc-linux-gnu, built on
> Jul 13 2016 at 02:30:07
>
>
Just to add, if I watch tcpdump, everything ends on this step:

.....
 GetResponse(49)
 interfaces.ifTable.ifEntry.ifDescr.15728810="<pppoe-huumorfm>"
 GetNextRequest(33)  interfaces.ifTable.ifEntry.ifDescr.15728810
 GetResponse(48)
 interfaces.ifTable.ifEntry.ifDescr.15728815="<pppoe-ttq0316>"
 GetNextRequest(33)  interfaces.ifTable.ifEntry.ifDescr.15728815
 GetResponse(47)
 interfaces.ifTable.ifEntry.ifDescr.15728816="<pppoe-oi1015>"
GetNextRequest(33)  interfaces.ifTable.ifEntry.ifDescr.15728816
 GetResponse(48)
 interfaces.ifTable.ifEntry.ifDescr.15728837="<pppoe-linktel>"
GetNextRequest(33)  interfaces.ifTable.ifEntry.ifDescr.15728837
 GetResponse(47)
 interfaces.ifTable.ifEntry.ifDescr.15728991="<pppoe-am0215>"
GetNextRequest(33)  interfaces.ifTable.ifEntry.ifDescr.15728991
 GetResponse(47)
 interfaces.ifTable.ifEntry.ifDescr.15728997="<pppoe-lvoris>"
 GetNextRequest(33)  interfaces.ifTable.ifEntry.ifDescr.15728997
 GetResponse(48)
 interfaces.ifTable.ifEntry.ifDescr.15729014="<pppoe-arx0616>"
GetNextRequest(33)  interfaces.ifTable.ifEntry.ifDescr.15729014
GetResponse(52)
 interfaces.ifTable.ifEntry.ifDescr.15729015="<pppoe-koeruswfa24>"
GetNextRequest(33)  interfaces.ifTable.ifEntry.ifDescr.15729015
 GetResponse(31)  interfaces.ifTable.ifEntry.ifType.1=6

So basically checkrad runs well until it gets the interfaces list... or
until it's line @output = snmpwalk_prog($ARGV[1], $password, "$oid");
And then freezes.

-- 
Best regards,
Roman.

More information about the Freeradius-Users mailing list