Duplicate SQL records versus unique constraints
Hello, First of, been using freeradius for 5-6 years now and we are happy campers thanks to it. Freeradius 2.04 (Debian Lenny package), but I don't think this is very version specific. Configuration is set for direct (sql, not sql_log) logging of accounting records into mysql. We've got a number of what can only be described as "maniac" customers which fire off new sessions every minute or 2 and one of these has managed to create over 2000 "identical" sessions, as far as actsessionid and the default generation of acctuniqueid are concerned. It seems that the NAS in question is prone to recycle actsessionids under the onslaught of this user (within days at times). We are talking to the upstream access provider about this, but I don't think much of anything will come out of it. In this setting the default key generation for the acctuniqueid of: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" did little to stop the duplicates, since only the Acct-Session-Id is variable (when not re-used by the NAS), the rest are more or less static. We changed the Client-IP-Address to Framed-IP-Address in the key generation as this gives a much, much smaller chance of duplicates. But of course it does not guarantee uniqueness either. In the analysis of this event it became clear that the sql module will happily update any and all records that share the same acctuniqueid with a new stop and session time, even if these were not NULL or 0 respectively. Never mind that this whole scenario should not happen in the first place it seems that overwriting valid data in an already "complete" accounting record would be big no-no. Could anybody comment on this? Given this behavior and the still existing (albeit vastly smaller) chance of future duplicate records making it into the database I have a question: If we add a CONSTRAINT to enforce uniqueness for acctuniqueid in the DB, will the failure to insert an accounting record confuse the freerad sql module and will those failures percolate up towards the radius protocol level and thus result in the NAS keep on sending that accounting packet? Regards, Christian -- Christian Balzer Network/Systems Engineer NOC chibi@gol.com Global OnLine Japan/Fusion Network Services http://www.gol.com/ https://secure3.gol.com/mod-pl/ols/index.cgi/?intr_id=F-2ECXvzcr6656
If we add a CONSTRAINT to enforce uniqueness for acctuniqueid in the DB, will the failure to insert an accounting record confuse the freerad sql module and will those failures percolate up towards the radius protocol level and thus result in the NAS keep on sending that accounting packet?
Yes. The SQL module will return fail on any errors. This will override the priority of most other modules, and cause the accounting stanza to return fail. The RADIUS server will then ignore the Accounting request, and the NAS will think the RADIUS server is dead. You should be able to add additional 'uniqueness' with the 'Class' attribute. RFC behavior is identical to User-Name. You set it in the Access-Accept packet, then the NAS includes its value in all future Accounting-Requests. You can use another instance of the hashing module to generate the initial class value. Include something like system time in the list of attributes to make sure it never repeats. Then just add 'Class' into the list of attributes used to generate acctuniqueid. Arran -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
On 3/6/09 07:53, Arran Cudbard-Bell wrote:
If we add a CONSTRAINT to enforce uniqueness for acctuniqueid in the DB, will the failure to insert an accounting record confuse the freerad sql module and will those failures percolate up towards the radius protocol level and thus result in the NAS keep on sending that accounting packet?
Yes. The SQL module will return fail on any errors. This will override the priority of most other modules, and cause the accounting stanza to return fail. The RADIUS server will then ignore the Accounting request, and the NAS will think the RADIUS server is dead.
You should be able to add additional 'uniqueness' with the 'Class' attribute. RFC behavior is identical to User-Name. You set it in the Access-Accept packet, then the NAS includes its value in all future Accounting-Requests.
Example policy for this would be something like : populate_class { # Hashing module only accepts dictionary attributes update request { Tmp-String-0 := "%t" } # # Insert random string into the class attribute # acct_class_unique.accounting update reply { Class := "%{request:Acct-Unique-Session-Id}}" } } and acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port, Class" } acct_unique acct_class_unique { key = "User-Name, Tmp-String-0, NAS-IP-Address, Client-IP-Address, NAS-Port" } For the module configuration. If you're still getting duplicates, check that the NAS is actually sending the value of the Class attribute. Vendors are notoriously bad for ignoring the RFC in this area. Regards, Arran -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
Hello, On Wed, 03 Jun 2009 08:24:53 +0100 Arran Cudbard-Bell wrote: [more uniqueness for accounting packets]
Example policy for this would be something like :
[snip] Thanks a bundle for that, I was about to whack my head against the screen here and type "man unlang". ;)
If you're still getting duplicates, check that the NAS is actually sending the value of the Class attribute. Vendors are notoriously bad for ignoring the RFC in this area.
Yeah, never mind that we are talking to proxy servers upstream which in turn may talk to other proxy servers (nobody knows) which ultimately talk to the NAS (BRAS) in question. I have seen those quickly recycled Acct-Session-Id's only with one location it seems, other people with twice the connects never had their IDs re-used in the same sample period. So my bet is that this particular NAS will also happily ignore the Class attribute. ^o^ But nevertheless, a very useful configuration snippet that would do well in a future sample configuration. Thanks again for the quick and comprehensive response, Christian -- Christian Balzer Network/Systems Engineer NOC chibi@gol.com Global OnLine Japan/Fusion Network Services http://www.gol.com/ https://secure3.gol.com/mod-pl/ols/index.cgi/?intr_id=F-2ECXvzcr6656
[snip]
Thanks a bundle for that, I was about to whack my head against the screen here and type "man unlang". ;)
If you're still getting duplicates, check that the NAS is actually sending the value of the Class attribute. Vendors are notoriously bad for ignoring the RFC in this area.
Yeah, never mind that we are talking to proxy servers upstream which in turn may talk to other proxy servers (nobody knows) which ultimately talk to the NAS (BRAS) in question.
You might have more luck concatenating the random string with the User-Name and sending that in the Access-Accept. Then stripping it out again when you receive accounting requests. post-auth { update reply { User-Name := "%{User-Name}:%{Acct-Unique-ID}" } ... } -- preacct { ... if(User-Name =~ /([^:]+)(:([[:alnum:]]*))?/){ update request { Acct-Session-ID := "%{Acct-Session-ID}%{3}" User-Name := "%{1}" } } } It's a more commonly used feature so is more likely to work :)
I have seen those quickly recycled Acct-Session-Id's only with one location it seems, other people with twice the connects never had their IDs re-used in the same sample period. So my bet is that this particular NAS will also happily ignore the Class attribute. ^o^
Yey for standards *sigh*.
But nevertheless, a very useful configuration snippet that would do well in a future sample configuration.
Thanks, i'll poke Alan and see if he wants to include it. It'd be nice to have a generic hashing module for string expansions and not have to do some much unlang hackyness, useful for CUI too.
Thanks again for the quick and comprehensive response
No problem. Best of luck ! Arran -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
Arran Cudbard-Bell wrote:
Thanks, i'll poke Alan and see if he wants to include it.
$ git format-patch :)
It'd be nice to have a generic hashing module for string expansions and not have to do some much unlang hackyness, useful for CUI too.
update reply { User-Name := "%{md5:foo}" } It's already there. Alan DeKok.
On 3/6/09 17:38, Alan DeKok wrote:
Arran Cudbard-Bell wrote:
Thanks, i'll poke Alan and see if he wants to include it.
$ git format-patch
:)
Still haven't had feedback on the last one yet !
It'd be nice to have a generic hashing module for string expansions and not have to do some much unlang hackyness, useful for CUI too.
update reply { User-Name := "%{md5:foo}" }
It's already there.
Ooooooo useful. Would you be adverse to a patch adding a policy section that provided the requisite behavior for both Access-Accept and Accounting-Request packets ? Or would you like two policy sections. i.e. One that has a switch statement for packet type, or two different policies. The advantage of the one policy is that it's listed with the same name in the require sections of the default config. The disadvantage is the added switch statement. This is more of a general question for future patches... Do you want policies to be self contained, or do you not mind if they sprawl a bit. Thanks, Arran P.S ProCurve switches don't include the Class attribute in Accounting-Requests. Already opened a case. -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
Arran Cudbard-Bell wrote:
Ooooooo useful. Would you be adverse to a patch adding a policy section that provided the requisite behavior for both Access-Accept and Accounting-Request packets ? Or would you like two policy sections.
I'll look at the patch and see.
i.e. One that has a switch statement for packet type, or two different policies.
The advantage of the one policy is that it's listed with the same name in the require sections of the default config. The disadvantage is the added switch statement.
Hm... yes. I don't have strong opinions on this subject. It may be better to let the CPU do a bit more work than the admin, and use a switch statement to keep the external name the same.
This is more of a general question for future patches... Do you want policies to be self contained, or do you not mind if they sprawl a bit.
"sprawl" ? Alan DeKok.
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
Christian Balzer