2016-11-04 9:33 GMT+02:00 Roman <romeo.r@gmail.com>:
2016-11-03 17:31 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On Nov 3, 2016, at 7:18 AM, Roman <romeo.r@gmail.com> wrote: Sometimes I do some networking downtimes and during these periods I'm getting pretty much stale sessions in radwho output. I understand why it happens, but all I want to do is to clear them automatically, when user logs in.
So what I've done is added this line:
*exec("/usr/bin/radzap", "-u", $ARGV[3], "127.0.0.1", "secret");*
to this part of checkrad code for mikrotik sub.
Please don't do that. It's not necessary.
The purpose of checkrad is to tell the server if the session is still up. If it isn't the server will automatically create a "zap" packet, and remove the session.
Thanks for an answer. But it seems like it is not. If I stop freeradius and disconnect the user from NAS/PPPoE server manually, start the freeradius server and user connects, Freeradius just freezes and there are some logs like these:
Fri Nov 4 09:22:22 2016 : Error: (0) Ignoring duplicate packet from client cli-ter1-lo0 port 52896 - ID: 181 due to unfinished request in component session module radutmp Fri Nov 4 09:22:30 2016 : Error: (0) Ignoring duplicate packet from client cli-ter1-lo0 port 52896 - ID: 181 due to unfinished request in component session module radutmp Fri Nov 4 09:22:37 2016 : Error: (1) Ignoring duplicate packet from client cli-ter1-lo0 port 33336 - ID: 182 due to unfinished request in component session module radutmp Fri Nov 4 09:22:45 2016 : Error: (1) Ignoring duplicate packet from client cli-ter1-lo0 port 33336 - ID: 182 due to unfinished request in component session module radutmp Fri Nov 4 09:22:47 2016 : Error: Unresponsive child for request 0, in component session module radutmp
If I run it in debug mode, these are the last lines:
Ready to process requests (0) Received Access-Request Id 192 from IP:44964 to IP:1812 length 150 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) NAS-Port = 15729029 (0) NAS-Port-Type = Ethernet (0) User-Name = "tt23kswp17" (0) Calling-Station-Id = "00:A0:C5:3F:13:2D" (0) Called-Station-Id = "cli-ter1" (0) NAS-Port-Id = "Eth7-PPPoE" (0) CHAP-Challenge = 0xd2cd740b875babcdc257988ee1c00466 (0) CHAP-Password = 0x01f43d52627cb7db7466e0a2959d3cfea5 (0) NAS-Identifier = "cli-ter1" (0) NAS-IP-Address = IP (0) # Executing section authorize from file /etc/freeradius/sites-enabled/ default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) auth_log: EXPAND /var/log/freeradius/radacct/%{ %{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/freeradius/radacct/IP/auth-detail-20161104 (0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{ Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/IP2/auth-detail-20161104 (0) auth_log: EXPAND %t (0) auth_log: --> Fri Nov 4 09:24:57 2016 (0) [auth_log] = ok (0) chap: &control:Auth-Type := CHAP (0) [chap] = ok (0) [mschap] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "tt23kswp17", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) files: users: Matched entry tt23kswp17 at line 107 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) } # authorize = ok (0) Found Auth-Type = CHAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Auth-Type CHAP { (0) chap: Comparing with "known good" Cleartext-Password (0) chap: CHAP user "tt23kswp17" authenticated successfully (0) [chap] = ok (0) } # Auth-Type CHAP = ok (0) # Executing section session from file /etc/freeradius/sites-enabled/ default (0) session { (0) radutmp: EXPAND /var/log/freeradius/radutmp (0) radutmp: --> /var/log/freeradius/radutmp (0) radutmp: EXPAND %{User-Name} (0) radutmp: --> tt23kswp17 (0) # Executing section preacct from file /etc/freeradius/sites-enabled/ default (0) preacct { (0) [preprocess] = ok (0) policy acct_unique { (0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) { (0) EXPAND %{string:Class} (0) --> (0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE (0) else { (0) update request { (0) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6- Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (0) --> 97445737b73ef01afe83c8b742ef8bdb (0) &Acct-Unique-Session-Id := 97445737b73ef01afe83c8b742ef8bdb (0) } # update request = noop (0) } # else = noop (0) } # policy acct_unique = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "tt23kswp17", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) [files] = noop (0) } # preacct = ok (0) # Executing section accounting from file /etc/freeradius/sites-enabled/ default (0) accounting { (0) detail: EXPAND /var/log/freeradius/radacct/%{ %{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (0) detail: --> /var/log/freeradius/radacct/IP/detail-20161104 (0) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{ Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/IP/detail-20161104 (0) detail: EXPAND %t (0) detail: --> Fri Nov 4 09:24:57 2016 (0) [detail] = ok (0) [unix] = ok
and the mikrotik_snmp sub part is here:
sub mikrotik_snmp {
# Set SNMP version # MikroTik only supports version 1 $snmp_version = "1";
# Look up community string in naspasswd file. ($login, $password) = naspasswd($ARGV[1], 1); if ($login && $login ne 'SNMP') { if($debug) { print LOG "Error: Need SNMP community string for $ARGV[1]\n"; } return 2; } else { # If password is defined in naspasswd file, use it as community, # otherwise use $cmmty_string if ($password eq '') { $password = "$cmmty_string"; } }
# We want interface descriptions $oid = "ifDescr";
# Mikrotik doesnt give port IDs correctly to RADIUS :( # practically this would limit us to a simple only-one user limit for # this script to work properly. @output = snmpwalk_prog($ARGV[1], $password, "$oid");
foreach $line ( @output ) { #remove newline chomp $line; #remove trailing whitespace ($line = $line) =~ s/\s+$//; if( $line =~ /<.*-$ARGV[3]>/ ) { $username_seen++; } } #lets return something if ($username_seen > 0) { return 1; } else { return 0; } }
Version: radiusd: FreeRADIUS Version 3.0.11, for host x86_64-pc-linux-gnu, built on Jul 13 2016 at 02:30:07
Just to add, if I watch tcpdump, everything ends on this step: ..... GetResponse(49) interfaces.ifTable.ifEntry.ifDescr.15728810="<pppoe-huumorfm>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15728810 GetResponse(48) interfaces.ifTable.ifEntry.ifDescr.15728815="<pppoe-ttq0316>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15728815 GetResponse(47) interfaces.ifTable.ifEntry.ifDescr.15728816="<pppoe-oi1015>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15728816 GetResponse(48) interfaces.ifTable.ifEntry.ifDescr.15728837="<pppoe-linktel>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15728837 GetResponse(47) interfaces.ifTable.ifEntry.ifDescr.15728991="<pppoe-am0215>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15728991 GetResponse(47) interfaces.ifTable.ifEntry.ifDescr.15728997="<pppoe-lvoris>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15728997 GetResponse(48) interfaces.ifTable.ifEntry.ifDescr.15729014="<pppoe-arx0616>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15729014 GetResponse(52) interfaces.ifTable.ifEntry.ifDescr.15729015="<pppoe-koeruswfa24>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15729015 GetResponse(31) interfaces.ifTable.ifEntry.ifType.1=6 So basically checkrad runs well until it gets the interfaces list... or until it's line @output = snmpwalk_prog($ARGV[1], $password, "$oid"); And then freezes. -- Best regards, Roman.