Freeraadius stale sessions (no SQL scenario)
Hi, Sometimes I do some networking downtimes and during these periods I'm getting pretty much stale sessions in radwho output. I understand why it happens, but all I want to do is to clear them automatically, when user logs in. So what I've done is added this line: *exec("/usr/bin/radzap", "-u", $ARGV[3], "127.0.0.1", "secret");* to this part of checkrad code for mikrotik sub. #lets return something if ($username_seen > 0) { return 1; } else { exec("/usr/bin/radzap", "-u", $ARGV[3], "127.0.0.1", "secret"); return 0; } } If I understand it right, this code works like: if there is a username logged in on NAS, then we return 1, which means error, I guess? if there are none, we return 0, which is OK I guess? So I just want to clear (if there any) the stale session for user, if he's not logged in on NAS, but for some reason has stale session on freeradius server (visible in radwho) But.. nothing happens. If I execute the command from the shell, it works.. So as I'm not a programmer, I think, that I must be added this line to the wrong place of radcheck script. Any help? -- Best regards, Roman.
Hi all.. Sry for last mail. So I've ran freeradius -X and have seen that debug said "no nas type or type set to other" was there. That was due to typo in my clients.conf file. So I've fixed that and now it works fine. It takes a bit more time to login for users now, but no stale sessions anymore. Anyway I've got only 1 simultaneous session allowed there, so this workaround works fine. Sorry. If someone has a bit more accurate solution for mu issue, don't be shy to share :) 2016-11-03 13:18 GMT+02:00 Roman <romeo.r@gmail.com>:
Hi,
Sometimes I do some networking downtimes and during these periods I'm getting pretty much stale sessions in radwho output. I understand why it happens, but all I want to do is to clear them automatically, when user logs in.
So what I've done is added this line:
*exec("/usr/bin/radzap", "-u", $ARGV[3], "127.0.0.1", "secret");*
to this part of checkrad code for mikrotik sub.
#lets return something if ($username_seen > 0) { return 1; } else { exec("/usr/bin/radzap", "-u", $ARGV[3], "127.0.0.1", "secret"); return 0; } }
If I understand it right, this code works like: if there is a username logged in on NAS, then we return 1, which means error, I guess? if there are none, we return 0, which is OK I guess? So I just want to clear (if there any) the stale session for user, if he's not logged in on NAS, but for some reason has stale session on freeradius server (visible in radwho)
But.. nothing happens. If I execute the command from the shell, it works.. So as I'm not a programmer, I think, that I must be added this line to the wrong place of radcheck script. Any help?
-- Best regards, Roman.
-- Best regards, Roman.
On Nov 3, 2016, at 7:18 AM, Roman <romeo.r@gmail.com> wrote: Sometimes I do some networking downtimes and during these periods I'm getting pretty much stale sessions in radwho output. I understand why it happens, but all I want to do is to clear them automatically, when user logs in.
So what I've done is added this line:
*exec("/usr/bin/radzap", "-u", $ARGV[3], "127.0.0.1", "secret");*
to this part of checkrad code for mikrotik sub.
Please don't do that. It's not necessary. The purpose of checkrad is to tell the server if the session is still up. If it isn't the server will automatically create a "zap" packet, and remove the session. Alan DeKok.
2016-11-03 17:31 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On Nov 3, 2016, at 7:18 AM, Roman <romeo.r@gmail.com> wrote: Sometimes I do some networking downtimes and during these periods I'm getting pretty much stale sessions in radwho output. I understand why it happens, but all I want to do is to clear them automatically, when user logs in.
So what I've done is added this line:
*exec("/usr/bin/radzap", "-u", $ARGV[3], "127.0.0.1", "secret");*
to this part of checkrad code for mikrotik sub.
Please don't do that. It's not necessary.
The purpose of checkrad is to tell the server if the session is still up. If it isn't the server will automatically create a "zap" packet, and remove the session.
Thanks for an answer. But it seems like it is not. If I stop freeradius and disconnect the user from NAS/PPPoE server manually, start the freeradius server and user connects, Freeradius just freezes and there are some logs like these: Fri Nov 4 09:22:22 2016 : Error: (0) Ignoring duplicate packet from client cli-ter1-lo0 port 52896 - ID: 181 due to unfinished request in component session module radutmp Fri Nov 4 09:22:30 2016 : Error: (0) Ignoring duplicate packet from client cli-ter1-lo0 port 52896 - ID: 181 due to unfinished request in component session module radutmp Fri Nov 4 09:22:37 2016 : Error: (1) Ignoring duplicate packet from client cli-ter1-lo0 port 33336 - ID: 182 due to unfinished request in component session module radutmp Fri Nov 4 09:22:45 2016 : Error: (1) Ignoring duplicate packet from client cli-ter1-lo0 port 33336 - ID: 182 due to unfinished request in component session module radutmp Fri Nov 4 09:22:47 2016 : Error: Unresponsive child for request 0, in component session module radutmp If I run it in debug mode, these are the last lines: Ready to process requests (0) Received Access-Request Id 192 from IP:44964 to IP:1812 length 150 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) NAS-Port = 15729029 (0) NAS-Port-Type = Ethernet (0) User-Name = "tt23kswp17" (0) Calling-Station-Id = "00:A0:C5:3F:13:2D" (0) Called-Station-Id = "cli-ter1" (0) NAS-Port-Id = "Eth7-PPPoE" (0) CHAP-Challenge = 0xd2cd740b875babcdc257988ee1c00466 (0) CHAP-Password = 0x01f43d52627cb7db7466e0a2959d3cfea5 (0) NAS-Identifier = "cli-ter1" (0) NAS-IP-Address = IP (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/freeradius/radacct/IP/auth-detail-20161104 (0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/IP2/auth-detail-20161104 (0) auth_log: EXPAND %t (0) auth_log: --> Fri Nov 4 09:24:57 2016 (0) [auth_log] = ok (0) chap: &control:Auth-Type := CHAP (0) [chap] = ok (0) [mschap] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "tt23kswp17", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) files: users: Matched entry tt23kswp17 at line 107 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) } # authorize = ok (0) Found Auth-Type = CHAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Auth-Type CHAP { (0) chap: Comparing with "known good" Cleartext-Password (0) chap: CHAP user "tt23kswp17" authenticated successfully (0) [chap] = ok (0) } # Auth-Type CHAP = ok (0) # Executing section session from file /etc/freeradius/sites-enabled/default (0) session { (0) radutmp: EXPAND /var/log/freeradius/radutmp (0) radutmp: --> /var/log/freeradius/radutmp (0) radutmp: EXPAND %{User-Name} (0) radutmp: --> tt23kswp17 (0) # Executing section preacct from file /etc/freeradius/sites-enabled/default (0) preacct { (0) [preprocess] = ok (0) policy acct_unique { (0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) { (0) EXPAND %{string:Class} (0) --> (0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE (0) else { (0) update request { (0) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (0) --> 97445737b73ef01afe83c8b742ef8bdb (0) &Acct-Unique-Session-Id := 97445737b73ef01afe83c8b742ef8bdb (0) } # update request = noop (0) } # else = noop (0) } # policy acct_unique = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "tt23kswp17", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) [files] = noop (0) } # preacct = ok (0) # Executing section accounting from file /etc/freeradius/sites-enabled/default (0) accounting { (0) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (0) detail: --> /var/log/freeradius/radacct/IP/detail-20161104 (0) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/IP/detail-20161104 (0) detail: EXPAND %t (0) detail: --> Fri Nov 4 09:24:57 2016 (0) [detail] = ok (0) [unix] = ok and the mikrotik_snmp sub part is here: sub mikrotik_snmp { # Set SNMP version # MikroTik only supports version 1 $snmp_version = "1"; # Look up community string in naspasswd file. ($login, $password) = naspasswd($ARGV[1], 1); if ($login && $login ne 'SNMP') { if($debug) { print LOG "Error: Need SNMP community string for $ARGV[1]\n"; } return 2; } else { # If password is defined in naspasswd file, use it as community, # otherwise use $cmmty_string if ($password eq '') { $password = "$cmmty_string"; } } # We want interface descriptions $oid = "ifDescr"; # Mikrotik doesnt give port IDs correctly to RADIUS :( # practically this would limit us to a simple only-one user limit for # this script to work properly. @output = snmpwalk_prog($ARGV[1], $password, "$oid"); foreach $line ( @output ) { #remove newline chomp $line; #remove trailing whitespace ($line = $line) =~ s/\s+$//; if( $line =~ /<.*-$ARGV[3]>/ ) { $username_seen++; } } #lets return something if ($username_seen > 0) { return 1; } else { return 0; } } Version: radiusd: FreeRADIUS Version 3.0.11, for host x86_64-pc-linux-gnu, built on Jul 13 2016 at 02:30:07 -- Best regards, Roman.
2016-11-04 9:33 GMT+02:00 Roman <romeo.r@gmail.com>:
2016-11-03 17:31 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On Nov 3, 2016, at 7:18 AM, Roman <romeo.r@gmail.com> wrote: Sometimes I do some networking downtimes and during these periods I'm getting pretty much stale sessions in radwho output. I understand why it happens, but all I want to do is to clear them automatically, when user logs in.
So what I've done is added this line:
*exec("/usr/bin/radzap", "-u", $ARGV[3], "127.0.0.1", "secret");*
to this part of checkrad code for mikrotik sub.
Please don't do that. It's not necessary.
The purpose of checkrad is to tell the server if the session is still up. If it isn't the server will automatically create a "zap" packet, and remove the session.
Thanks for an answer. But it seems like it is not. If I stop freeradius and disconnect the user from NAS/PPPoE server manually, start the freeradius server and user connects, Freeradius just freezes and there are some logs like these:
Fri Nov 4 09:22:22 2016 : Error: (0) Ignoring duplicate packet from client cli-ter1-lo0 port 52896 - ID: 181 due to unfinished request in component session module radutmp Fri Nov 4 09:22:30 2016 : Error: (0) Ignoring duplicate packet from client cli-ter1-lo0 port 52896 - ID: 181 due to unfinished request in component session module radutmp Fri Nov 4 09:22:37 2016 : Error: (1) Ignoring duplicate packet from client cli-ter1-lo0 port 33336 - ID: 182 due to unfinished request in component session module radutmp Fri Nov 4 09:22:45 2016 : Error: (1) Ignoring duplicate packet from client cli-ter1-lo0 port 33336 - ID: 182 due to unfinished request in component session module radutmp Fri Nov 4 09:22:47 2016 : Error: Unresponsive child for request 0, in component session module radutmp
If I run it in debug mode, these are the last lines:
Ready to process requests (0) Received Access-Request Id 192 from IP:44964 to IP:1812 length 150 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) NAS-Port = 15729029 (0) NAS-Port-Type = Ethernet (0) User-Name = "tt23kswp17" (0) Calling-Station-Id = "00:A0:C5:3F:13:2D" (0) Called-Station-Id = "cli-ter1" (0) NAS-Port-Id = "Eth7-PPPoE" (0) CHAP-Challenge = 0xd2cd740b875babcdc257988ee1c00466 (0) CHAP-Password = 0x01f43d52627cb7db7466e0a2959d3cfea5 (0) NAS-Identifier = "cli-ter1" (0) NAS-IP-Address = IP (0) # Executing section authorize from file /etc/freeradius/sites-enabled/ default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) auth_log: EXPAND /var/log/freeradius/radacct/%{ %{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/freeradius/radacct/IP/auth-detail-20161104 (0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{ Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/IP2/auth-detail-20161104 (0) auth_log: EXPAND %t (0) auth_log: --> Fri Nov 4 09:24:57 2016 (0) [auth_log] = ok (0) chap: &control:Auth-Type := CHAP (0) [chap] = ok (0) [mschap] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "tt23kswp17", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) files: users: Matched entry tt23kswp17 at line 107 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) } # authorize = ok (0) Found Auth-Type = CHAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Auth-Type CHAP { (0) chap: Comparing with "known good" Cleartext-Password (0) chap: CHAP user "tt23kswp17" authenticated successfully (0) [chap] = ok (0) } # Auth-Type CHAP = ok (0) # Executing section session from file /etc/freeradius/sites-enabled/ default (0) session { (0) radutmp: EXPAND /var/log/freeradius/radutmp (0) radutmp: --> /var/log/freeradius/radutmp (0) radutmp: EXPAND %{User-Name} (0) radutmp: --> tt23kswp17 (0) # Executing section preacct from file /etc/freeradius/sites-enabled/ default (0) preacct { (0) [preprocess] = ok (0) policy acct_unique { (0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) { (0) EXPAND %{string:Class} (0) --> (0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE (0) else { (0) update request { (0) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6- Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (0) --> 97445737b73ef01afe83c8b742ef8bdb (0) &Acct-Unique-Session-Id := 97445737b73ef01afe83c8b742ef8bdb (0) } # update request = noop (0) } # else = noop (0) } # policy acct_unique = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "tt23kswp17", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) [files] = noop (0) } # preacct = ok (0) # Executing section accounting from file /etc/freeradius/sites-enabled/ default (0) accounting { (0) detail: EXPAND /var/log/freeradius/radacct/%{ %{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (0) detail: --> /var/log/freeradius/radacct/IP/detail-20161104 (0) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{ Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/IP/detail-20161104 (0) detail: EXPAND %t (0) detail: --> Fri Nov 4 09:24:57 2016 (0) [detail] = ok (0) [unix] = ok
and the mikrotik_snmp sub part is here:
sub mikrotik_snmp {
# Set SNMP version # MikroTik only supports version 1 $snmp_version = "1";
# Look up community string in naspasswd file. ($login, $password) = naspasswd($ARGV[1], 1); if ($login && $login ne 'SNMP') { if($debug) { print LOG "Error: Need SNMP community string for $ARGV[1]\n"; } return 2; } else { # If password is defined in naspasswd file, use it as community, # otherwise use $cmmty_string if ($password eq '') { $password = "$cmmty_string"; } }
# We want interface descriptions $oid = "ifDescr";
# Mikrotik doesnt give port IDs correctly to RADIUS :( # practically this would limit us to a simple only-one user limit for # this script to work properly. @output = snmpwalk_prog($ARGV[1], $password, "$oid");
foreach $line ( @output ) { #remove newline chomp $line; #remove trailing whitespace ($line = $line) =~ s/\s+$//; if( $line =~ /<.*-$ARGV[3]>/ ) { $username_seen++; } } #lets return something if ($username_seen > 0) { return 1; } else { return 0; } }
Version: radiusd: FreeRADIUS Version 3.0.11, for host x86_64-pc-linux-gnu, built on Jul 13 2016 at 02:30:07
Just to add, if I watch tcpdump, everything ends on this step: ..... GetResponse(49) interfaces.ifTable.ifEntry.ifDescr.15728810="<pppoe-huumorfm>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15728810 GetResponse(48) interfaces.ifTable.ifEntry.ifDescr.15728815="<pppoe-ttq0316>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15728815 GetResponse(47) interfaces.ifTable.ifEntry.ifDescr.15728816="<pppoe-oi1015>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15728816 GetResponse(48) interfaces.ifTable.ifEntry.ifDescr.15728837="<pppoe-linktel>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15728837 GetResponse(47) interfaces.ifTable.ifEntry.ifDescr.15728991="<pppoe-am0215>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15728991 GetResponse(47) interfaces.ifTable.ifEntry.ifDescr.15728997="<pppoe-lvoris>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15728997 GetResponse(48) interfaces.ifTable.ifEntry.ifDescr.15729014="<pppoe-arx0616>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15729014 GetResponse(52) interfaces.ifTable.ifEntry.ifDescr.15729015="<pppoe-koeruswfa24>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15729015 GetResponse(31) interfaces.ifTable.ifEntry.ifType.1=6 So basically checkrad runs well until it gets the interfaces list... or until it's line @output = snmpwalk_prog($ARGV[1], $password, "$oid"); And then freezes. -- Best regards, Roman.
Hi, 2 things... 1) you appear to be doing a live simultaneous usage chec on the dvice using SNMP - that may take time...and it may not be responding 2) you appear to be using the unix module writing to the radutmp module which eventually ends up with a huge unscalable file and problems. just use a DB if you need to have values to check. alan
I dont recommend using checkrad, checkrad reduces the performance of your server, rather than try doing it using sql queries, if you are using freeradius 3.X.X, you have a field in the radacct table which if for the last update you got from this session, so if you add the update time + your interm update , if this value is less than now , then this session is a stale session
On Nov 4, 2016, at 10:40 AM, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
2 things...
1) you appear to be doing a live simultaneous usage chec on the dvice using SNMP - that may take time...and it may not be responding
2) you appear to be using the unix module writing to the radutmp module which eventually ends up with a huge unscalable file and problems. just use a DB if you need to have values to check.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2016-11-04 10:40 GMT+02:00 <A.L.M.Buxey@lboro.ac.uk>:
Hi,
2 things...
1) you appear to be doing a live simultaneous usage chec on the dvice using SNMP - that may take time...and it may not be responding
Device always responds. No problems with connection nor device load. If I leave the server running user will try to login for ages, if it was a snmp connection problem, it would be able to login after some time. I have to kill server, change the nas_type to other, start server, so the user can login and server is not freezing anymore.
2) you appear to be using the unix module writing to the radutmp module which eventually ends up with a huge unscalable file and problems. just use a DB if you need to have values to check.
We have only about 15 user and not planning to go larger than 250 user per radius server, as Alan DeKok suggested last time, it is OK to use radutmp in this case. As I mentioned before, if I add the exec("/usr/bin/radzap", "-u", $ARGV[3], "127.0.0.1", "secret"); before return 0 in the end of mikrotik_snmp sub in checkrad file, everything works as expected. So it might be a check bug or smth.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- Best regards, Roman.
Hi,
Device always responds. No problems with connection nor device load. If I leave the server running user will try to login for ages, if it was a snmp connection problem, it would be able to login after some time. I have to kill server, change the nas_type to other, start server, so the user can login and server is not freezing anymore.
guess what, when you set nas_type to other, then the server is NOT trying to SNMP connect....hey, but then it works. i think the issue is quite clear.
2) you appear to be using the unix module writing to the radutmp module which eventually ends up with a huge unscalable file and problems. just use a DB if you need to have values to check.
We have only about 15 user and not planning to go larger than 250 user per radius server, as Alan DeKok suggested last time, it is OK to use radutmp in this case.
ok, ignore my advice. I wont respond to you anymore. alan
2016-11-04 13:00 GMT+02:00 <A.L.M.Buxey@lboro.ac.uk>:
Hi,
Device always responds. No problems with connection nor device load. If I leave the server running user will try to login for ages, if it was a snmp connection problem, it would be able to login after some time. I have to kill server, change the nas_type to other, start server, so the user can login and server is not freezing anymore.
guess what, when you set nas_type to other, then the server is NOT trying to SNMP connect....hey, but then it works. i think the issue is quite clear.
I guess you are trying to troll me :) I'm not so stupid to see, if snmpwalk or snmget working without checkrad process :) Here are some tcpdump logs again (I cut the sensitive data from these) ......cut some unneeded interfaces ..... GetNextRequest(30) interfaces.ifTable.ifEntry.ifDescr.41 GetResponse(49) interfaces.ifTable.ifEntry.ifDescr.15728810="<pppoe-huumorfm>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15728810 GetResponse(48) interfaces.ifTable.ifEntry.ifDescr.15728815="<pppoe-ttq0316>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15728815 GetResponse(47) interfaces.ifTable.ifEntry.ifDescr.15728816="<pppoe-oi1015>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15728816 GetResponse(48) interfaces.ifTable.ifEntry.ifDescr.15728837="<pppoe-linktel>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15728837 GetResponse(47) interfaces.ifTable.ifEntry.ifDescr.15728991="<pppoe-am0215>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15728991 GetResponse(47) interfaces.ifTable.ifEntry.ifDescr.15728997="<pppoe-lvoris>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15728997 GetResponse(48) interfaces.ifTable.ifEntry.ifDescr.15729014="<pppoe-arx0616>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15729014 GetResponse(52) interfaces.ifTable.ifEntry.ifDescr.15729015="<pppoe-koeruswfa24>" GetNextRequest(33) interfaces.ifTable.ifEntry.ifDescr.15729015 GetResponse(31) interfaces.ifTable.ifEntry.ifType.1=6 Here freeradius process is freezing and I can only see requests from NAS/PPPoE server to it without responses.. RADIUS, Access Request (1), id: 0xcf length: 150 RADIUS, Access Request (1), id: 0xd0 length: 150 RADIUS, Access Request (1), id: 0xcf length: 150 RADIUS, Access Request (1), id: 0xd0 length: 150 If I run snmpwalk constantly to the PPPoE/NAS server, it never has problems with response: snmpwalk -v1 -c secret PPPoE-Server-IP ifDesc ......cut some unneeded interfaces ..... IF-MIB::ifDescr.15728810 = STRING: <pppoe-huumorfm> IF-MIB::ifDescr.15728815 = STRING: <pppoe-ttq0316> IF-MIB::ifDescr.15728816 = STRING: <pppoe-oi1015> IF-MIB::ifDescr.15728837 = STRING: <pppoe-linktel> IF-MIB::ifDescr.15728991 = STRING: <pppoe-am0215> IF-MIB::ifDescr.15728997 = STRING: <pppoe-lvoris> IF-MIB::ifDescr.15729014 = STRING: <pppoe-arx0616> IF-MIB::ifDescr.15729015 = STRING: <pppoe-koeruswfa24> I can repeat this like each second and never get any timeouts. So I guess, there is a problem in check process on the freeradius side :) The snmp part of the checkrad script works fine. It freezes on the next step. -- Best regards, Roman.
On Nov 4, 2016, at 3:33 AM, Roman <romeo.r@gmail.com> wrote:
Thanks for an answer. But it seems like it is not. If I stop freeradius and disconnect the user from NAS/PPPoE server manually, start the freeradius server and user connects, Freeradius just freezes and there are some logs like these:
That's not supposed to happen.
and the mikrotik_snmp sub part is here:
Did you modify that? Or are you posting it here because you think we don't know that checkrad has that code? Alan DeKok.
2016-11-04 13:48 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On Nov 4, 2016, at 3:33 AM, Roman <romeo.r@gmail.com> wrote:
Thanks for an answer. But it seems like it is not. If I stop freeradius and disconnect the user from NAS/PPPoE server manually, start the freeradius server and user connects, Freeradius just freezes and there are some logs like these:
That's not supposed to happen.
And how I can help you to diagnose and fix this issue?
and the mikrotik_snmp sub part is here:
Did you modify that? Or are you posting it here because you think we don't know that checkrad has that code?
No. In the way I copied it here - it is unmodified. And it is not working
this way. I added this not because I think, that devs don't know, what code they write, but because I expect responses from other community members also :) So they could see the full picture. But I really happy speaking directly to devs on my issue. Thanks for responses. -- Best regards, Roman.
On Nov 4, 2016, at 10:21 AM, Roman <romeo.r@gmail.com> wrote:
And how I can help you to diagnose and fix this issue?
Find out where it's blocking, and why. I don't see the issue here, so I can't help much. See doc/gdb for some help, but you'll need to have some C / gdb skills to debug it.
Did you modify that? Or are you posting it here because you think we don't know that checkrad has that code?
No. In the way I copied it here - it is unmodified. And it is not working this way. I added this not because I think, that devs don't know, what code they write, but because I expect responses from other community members also :) So they could see the full picture. But I really happy speaking directly to devs on my issue. Thanks for responses.
I just don't understand the mindset behind people who cut & paste unmodified config files / scripts to the list. Why would posting that *ever* be useful, when we already have access to that in the server source? Alan DeKok.
2016-11-04 17:04 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
Find out where it's blocking, and why. I don't see the issue here, so I can't help much.
See doc/gdb for some help, but you'll need to have some C / gdb skills to debug it.
And I don't have both, so I'll just leave that workaround there, which does the trick :) $luser=`/usr/bin/radwho -sru $ARGV[3] | cut -d, -f2`; if ($luser) { exec("/usr/bin/radzap", "-u", $luser, "127.0.0.1", "eiHaik2o"); } right before return 0;
I just don't understand the mindset behind people who cut & paste unmodified config files / scripts to the list. Why would posting that *ever* be useful, when we already have access to that in the server source?
Maybe you try to think about people as they would be yourself? Don't think
of people that good :) Most of us (people) are too lazy to open the source. So if I knew, that only devs will answer me here, I wouldn't add that part of code, but I thought that other people would try to help also (and some did try) and I'm sure most of them won't even look at the right line of code, where the check is processed. So I added the whole code here. I'm not a programmer, but some people here are and there was a chance they see something I didn't. That was the reason. -- Best regards, Roman.
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
khouzam yaghi -
Roman