hi, found in user file because "files: users: Matched entry healthcheckVIP at line 91" . - whats in line 91 of your users file? I would adjust the check.... how often is this health check running? Your check should be reversed, I think, such that if its the monitoring user-name then you do X, else do Y. but another thing - the monitor user will have specific other attributes that the normal traffic wont have - the NAS-IP-Address or such..you also want that in as a check item for your logic - be specific as possible for your health check... would be even better if you could direct that to its own virtual server but maybe thats too much to ask for. alan On Thu, 3 Jan 2019 at 14:50, CALMELS, Thierry (SOGETI REGIONS SAS) < thierry.calmels.external@airbus.com> wrote:
Happy new year Alan,
As new resolution, I decided to re-contact you about the same topic^^ Below, the old thread.
This is the *first* time you mentioned that there's a "healthcheckVIP" user name. If you had said that at the START of the conversation, I would have been able to give you better advice. Not really - this username was mentioned in my first mail. This username (+password+PSK) are configured on LB F5 in front of the RADIUS PROXY.
If only there was some kind of debug output which you could post to the list, so that *experts* could read it and give you useful advice Below a trace involving the local user "healthcheckVIP".
Reminder: the aim is to validate that the condition on &User-Name is acceptable or not. The functional test made by the LB is OK but the implementation on RADIUS side can be improved.... Without this condition, I don't understand why although the user was find in files repository, we chain to the perl module...
Thu Jan 3 15:05:12 2019 : Debug: (2) Received Access-Request Id 152 from 11.126.112.186:38553 to 11.126.109.241:1812 length 95 Thu Jan 3 15:05:12 2019 : Debug: (2) User-Name = "healthcheckVIP" Thu Jan 3 15:05:12 2019 : Debug: (2) User-Password = "xxxxxxxxxx" Thu Jan 3 15:05:12 2019 : Debug: (2) NAS-IP-Address = 11.147.11.193 Thu Jan 3 15:05:12 2019 : Debug: (2) NAS-Identifier = "m880gbigip1-val.fr.eu.airbus.corp" Thu Jan 3 15:05:12 2019 : Debug: (2) session-state: No State attribute Thu Jan 3 15:05:12 2019 : Debug: (2) # Executing section authorize from file /etc/raddb/sites-enabled/default Thu Jan 3 15:05:12 2019 : Debug: (2) authorize { Thu Jan 3 15:05:12 2019 : Debug: (2) policy filter_username { Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name) { Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name) -> TRUE Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name) { Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name =~ / /) { Thu Jan 3 15:05:12 2019 : Debug: No matches Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name =~ / /) -> FALSE Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name =~ /@[^@]*@/ ) { Thu Jan 3 15:05:12 2019 : Debug: No matches Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name =~ /\.\./ ) { Thu Jan 3 15:05:12 2019 : Debug: No matches Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name =~ /\.\./ ) -> FALSE Thu Jan 3 15:05:12 2019 : Debug: (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { Thu Jan 3 15:05:12 2019 : Debug: No matches Thu Jan 3 15:05:12 2019 : Debug: (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name =~ /\.$/) { Thu Jan 3 15:05:12 2019 : Debug: No matches Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name =~ /\.$/) -> FALSE Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name =~ /@\./) { Thu Jan 3 15:05:12 2019 : Debug: No matches Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name =~ /@\./) -> FALSE Thu Jan 3 15:05:12 2019 : Debug: (2) } # if (&User-Name) = notfound Thu Jan 3 15:05:12 2019 : Debug: (2) } # policy filter_username = notfound Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: calling preprocess (rlm_preprocess) Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: returned from preprocess (rlm_preprocess) Thu Jan 3 15:05:12 2019 : Debug: (2) [preprocess] = ok Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: calling chap (rlm_chap) Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: returned from chap (rlm_chap) Thu Jan 3 15:05:12 2019 : Debug: (2) [chap] = noop Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: calling mschap (rlm_mschap) Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: returned from mschap (rlm_mschap) Thu Jan 3 15:05:12 2019 : Debug: (2) [mschap] = noop Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: calling digest (rlm_digest) Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: returned from digest (rlm_digest) Thu Jan 3 15:05:12 2019 : Debug: (2) [digest] = noop Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: calling suffix (rlm_realm) Thu Jan 3 15:05:12 2019 : Debug: (2) suffix: Checking for suffix after "@" Thu Jan 3 15:05:12 2019 : Debug: (2) suffix: No '@' in User-Name = "healthcheckVIP", looking up realm NULL Thu Jan 3 15:05:12 2019 : Debug: (2) suffix: No such realm "NULL" Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: returned from suffix (rlm_realm) Thu Jan 3 15:05:12 2019 : Debug: (2) [suffix] = noop Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: calling eap (rlm_eap) Thu Jan 3 15:05:12 2019 : Debug: (2) eap: No EAP-Message, not doing EAP Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: returned from eap (rlm_eap) Thu Jan 3 15:05:12 2019 : Debug: (2) [eap] = noop Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: calling files (rlm_files) Thu Jan 3 15:05:12 2019 : Warning: Found User-Password == "..." Thu Jan 3 15:05:12 2019 : Warning: Are you sure you don't mean Cleartext-Password? Thu Jan 3 15:05:12 2019 : Warning: See "man rlm_pap" for more information Thu Jan 3 15:05:12 2019 : Debug: (2) files: users: Matched entry healthcheckVIP at line 91 Thu Jan 3 15:05:12 2019 : Debug: (2) files: ::: FROM 0 TO 0 MAX 0 Thu Jan 3 15:05:12 2019 : Debug: (2) files: ::: TO in 0 out 0 Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: returned from files (rlm_files) Thu Jan 3 15:05:12 2019 : Debug: (2) [files] = ok Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name != 'healthcheckVIP' && &User-Name != 'monitoringUser') { Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name != 'healthcheckVIP' && &User-Name != 'monitoringUser') -> FALSE Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: calling expiration (rlm_expiration) Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: returned from expiration (rlm_expiration) Thu Jan 3 15:05:12 2019 : Debug: (2) [expiration] = noop Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: calling logintime (rlm_logintime) Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: returned from logintime (rlm_logintime) Thu Jan 3 15:05:12 2019 : Debug: (2) [logintime] = noop Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: calling pap (rlm_pap) Thu Jan 3 15:05:12 2019 : WARNING: (2) pap: Auth-Type already set. Not setting to PAP Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: returned from pap (rlm_pap) Thu Jan 3 15:05:12 2019 : Debug: (2) [pap] = noop Thu Jan 3 15:05:12 2019 : Debug: (2) } # authorize = ok Thu Jan 3 15:05:12 2019 : Debug: (2) Found Auth-Type = Accept Thu Jan 3 15:05:12 2019 : Debug: (2) Auth-Type = Accept, accepting the user Thu Jan 3 15:05:12 2019 : Debug: (2) # Executing section post-auth from file /etc/raddb/sites-enabled/default Thu Jan 3 15:05:12 2019 : Debug: (2) post-auth { Thu Jan 3 15:05:12 2019 : Debug: (2) update { Thu Jan 3 15:05:12 2019 : Debug: (2) No attributes updated Thu Jan 3 15:05:12 2019 : Debug: (2) } # update = noop Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[post-auth]: calling exec (rlm_exec) Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[post-auth]: returned from exec (rlm_exec) Thu Jan 3 15:05:12 2019 : Debug: (2) [exec] = noop Thu Jan 3 15:05:12 2019 : Debug: (2) policy remove_reply_message_if_eap { Thu Jan 3 15:05:12 2019 : Debug: (2) if (&reply:EAP-Message && &reply:Reply-Message) { Thu Jan 3 15:05:12 2019 : Debug: (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE Thu Jan 3 15:05:12 2019 : Debug: (2) else { Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[post-auth]: calling noop (rlm_always) Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[post-auth]: returned from noop (rlm_always) Thu Jan 3 15:05:12 2019 : Debug: (2) [noop] = noop Thu Jan 3 15:05:12 2019 : Debug: (2) } # else = noop Thu Jan 3 15:05:12 2019 : Debug: (2) } # policy remove_reply_message_if_eap = noop Thu Jan 3 15:05:12 2019 : Debug: (2) } # post-auth = noop Thu Jan 3 15:05:12 2019 : Auth: (2) Login OK: [healthcheckVIP] (from client radius-proxy-v port 0) Thu Jan 3 15:05:12 2019 : Debug: (2) Sent Access-Accept Id 152 from 11.126.109.241:1812 to 11.126.112.186:38553 length 0 Thu Jan 3 15:05:12 2019 : Debug: (2) Finished request
perl What does this do? You haven't said.
This custom script is *ONLY* used as pass-throughs to forward the requests to the server RADIUS 1 and if the reply is REJECT then the request is sent in failover to server RADIUS 2.
Thx for your patience
-----Message d'origine----- De : Freeradius-Users [mailto: freeradius-users-bounces+thierry.calmels.external= airbus.com@lists.freeradius.org] De la part de Alan DeKok Envoyé : lundi 17 décembre 2018 14:20 À : FreeRadius users mailing list Objet : Re: Proxy FreeRADIUS Monitoring from LB F5
On Dec 16, 2018, at 2:32 PM, CALMELS, Thierry (SOGETI REGIONS SAS) < thierry.calmels.external@airbus.com> wrote:
The configuration you posted here is *not* what I proposed that you use. Please go back and read my message again.
I reviewed your answer and I updated as you advise but without success.
The configuration which is working is the below one with the conditional on User-Name. I don't find it very sexy!
files if (&User-Name != 'healthcheckVIP') {
OK, I really dislike this whole process of giving tiny bits of information. It wastes everyone's time.
This is the *first* time you mentioned that there's a "healthcheckVIP" user name. If you had said that at the START of the conversation, I would have been able to give you better advice.
If you want good answers, ask good questions. Your questions are vague, and generally don't include relevant information.
perl
What does this do? You haven't said.
if (ok || updated) { update control { Auth-Type := Perl } } }
================ I tried to make something like that, but I got the error saying the
Auth-Type is not defined.
<sigh> If only there was some kind of debug output which you could post to the list, so that *experts* could read it and give you useful advice.
You're trying to solve the problem without describing it in any detail. That isn't good.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, please notify Airbus immediately and delete this e-mail. Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately. All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html