Home server failure messages

FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) andy.franks1 at nhs.net
Thu Nov 21 13:44:13 CET 2019


Hi Alan,
  Indeed it seems to in some circumstances; here's one where one server proxies to another, which in turn can't reach another external one, and the failure message is passed across:

Server where the request is received (from radtest):
I've edited it a bit for brevity, hopefully that's ok

..
(1) Proxying request to home server 192.168.110.46 port 2083 (TLS) timeout 30.000000
..
Thread 2 waiting to be assigned a request
(1) Expecting proxy response no later than 29.693518 seconds from now
Waking up in 29.6 seconds.
Suppressing duplicate proxied request (tcp) to home server 192.168.110.46 port 2083 proto TCP - ID: 172
Waking up in 25.0 seconds.
Suppressing duplicate proxied request (tcp) to home server 192.168.110.46 port 2083 proto TCP - ID: 172
Waking up in 20.0 seconds.
(1) No proxy response, giving up on request and marking it done
Marking home server 192.168.110.46 port 2083 as zombie (it has not responded in 30.000000 seconds).
(1) ERROR: Failing proxied request for user "user at my.realm", due to lack of any response from home server 192.168.110.46 port 2083
Waking up in 0.3 seconds.
Thread 1 got semaphore
Thread 1 handling request 1, (1 handled so far)
(1) Clearing existing &reply: attributes
(1) Found Post-Proxy-Type Fail-Authentication
(1) server default {
(1)   Post-Proxy-Type sub-section not found.  Ignoring.
(1)   # Executing group from file /etc/freeradius/sites-enabled/default
(1) }
(1) Login incorrect (Home Server failed to respond): [testuser1 at sth.nhs.uk] (from client localhost_ipv6 port 1)
(1) There was no response configured: rejecting request
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1)   Post-Auth-Type REJECT {
..
(1)        if ( &Module-Failure-Message )  {
(1)               update control {
(1)                 EXPAND Reject : %{Module-Failure-Message}
(1)                    --> Reject : Failing proxied request for user \"testuser1 at sth.nhs.uk\", due to lack of any response from home server 192.168.110.46 port 2083
(1)                 Outcome := Reject : Failing proxied request for user "testuser1 at sth.nhs.uk", due to lack of any response from home server 192.168.110.46 port 2083
(1)                 EXPAND %{Module-Failure-Message}



.. but if it can't connect at all the next server in line for example because FR is down and the port is closed it seems to miss out the post-proxy bit (probably by design?) and then there's no available Module-Failure-Message attribute value.

Starting proxy to home server 192.168.110.46 port 2083
(0) server default {
(0) }
Failed opening new proxy socket 'proxy (0.0.0.0, 0) -> home_server (192.168.110.46, 2083)' : Failed connecting socket: Connection refused
(0) Failed to insert request into the proxy list
(0) There was no response configured: rejecting request
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)   Post-Auth-Type REJECT {
..
(0)     if ( &Module-Failure-Message ) {
(0)             if ( &Module-Failure-Message )  -> FALSE
(0)           } # else = noop

Again, maybe my intuition is a bit off and I expect something which for some reason is designed a different way!

Thanks again
Andy


-----Original Message-----
From: Alan DeKok <aland at deployingradius.com>
Sent: 20 November 2019 19:01
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Cc: FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) <andy.franks1 at nhs.net>
Subject: Re: Home server failure messages

On Nov 20, 2019, at 11:16 AM, FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
>  Is there a way I can pick up (and report) failures for connections to home servers?

  The post-proxy section is still run, and Module-Failure-Message should be set.

  Alan DeKok.



********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail




More information about the Freeradius-Users mailing list