FS trying to authenticate accounting data
Hello group. I am running FreeRADIUS 2.0.4 and I am attempting to setup a configuration based on the "robust-proxy-accounting" site example. In short, I could not get it to work. To attempt to debug the problem, I pared down the configuration so the only part that was active was the part that it supposed to send the accounting data to a detail file. However, even that small piece does not work. The errors I am getting in the debug logs are auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. However, the configuration to log the data the detail file is only setup for accounting, not authentication. This leaves me confused as to why FS is attempting to do authentication. The relevant parts of the configuration that are active during the test and the debug log is listed below. Any assistance would be appreciated. Thank you, Jim Lohiser ---------- radiusd.conf # Single detail file for accounting failover. detail detail.imaginenet { detailfile = "${radacctdir}/imaginenet/detail-%Y%m%d" } ---------- <site file> # Dummy server to spool accounting data. home_server ImagineNet_Detail { # Added 'type' value to attempt to force accounting only. # Does not fix problem. type = acct virtual_server = ImagineNet_Detail } server ImagineNet_Detail { accounting { detail.imaginenet } } home_server_pool ImagineNet_Acct { type = load-balance home_server = ImagineNet_Detail # Turned this off during to debug. Does not fix problem. #virtual_server = ImagineNet } realm imaginenet.net { auth_pool = ImagineNet_Auth acct_pool = ImagineNet_Acct nostrip } ########## Full Debug rad_recv: Accounting-Request packet from host 192.168.0.10 port 51144, id=81, length=57 User-Name = "jlohiser@imaginenet.net" Acct-Status-Type = Start Acct-Session-Id = "9584" +- entering group preacct expand: %{User-Name} -> jlohiser@imaginenet.net expand: %{User-Name} -> jlohiser@imaginenet.net expand: %{User-Name} -> jlohiser@imaginenet.net ++[preprocess] returns ok rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing ',Client-IP-Address = 192.168.0.10,NAS-IP-Address = 192.168.0.10,Acct-Session-Id = "9584",User-Name = "jlohiser@imaginenet.net"' rlm_acct_unique: Acct-Unique-Session-ID = "dc24a5ecb36b1652". ++[acct_unique] returns ok rlm_realm: Looking up realm "imaginenet.net" for User-Name = "jlohiser@imaginenet.net" rlm_realm: Found realm "imaginenet.net" rlm_realm: Adding Realm = "imaginenet.net" rlm_realm: Proxying request from user jlohiser to realm imaginenet.net rlm_realm: Preparing to proxy accounting request to realm "imaginenet.net" ++[suffix] returns updated ++[files] returns noop +- entering group accounting expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/192.168.0.10/detail-20080502 rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.10/detail-20080502 expand: %t -> Fri May 2 02:33:03 2008 ++[detail] returns ok expand: /var/log/radius/radutmp -> /var/log/radius/radutmp expand: %{User-Name} -> jlohiser@imaginenet.net rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! ++[radutmp] returns noop expand: %{User-Name} -> jlohiser@imaginenet.net attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated +- entering group pre-proxy preproxy_users: Matched entry DEFAULT at line 35 expand: %{Client-IP-Address} -> 192.168.0.10 ++[files] returns ok
Sending proxied request internally to virtual server. server ImagineNet_Detail { auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [jlohiser@imaginenet.net/<no User-Password attribute>] (from client fw1.cle1.oh.imaginenet.net port 0 via TLS tunnel) } # server ImagineNet_Detail Going to the next request <<< Received proxied response from internal virtual server. Login incorrect (Home Server says so): [jlohiser@imaginenet.net/<no User-Password attribute>] (from client fw1.cle1.oh.imaginenet.net port 0) Sending Access-Reject of id 81 to 192.168.0.10 port 51144 Finished request 0. Cleaning up request 0 ID 81 with timestamp +22
Jim L. wrote: ...
Sending proxied request internally to virtual server. server ImagineNet_Detail { auth: No authenticate method (Auth-Type) configuration found for the
Ugh. The code that does the internal proxying doesn't check for auth/acct differences. Oops. Try the attached patch. If it works, I'll commit it. Alan DeKok.
Alan, I recompiled with this patch, however, I am getting the same results as before. Jim Lohiser ----- Original Message ----- From: "Alan DeKok" <aland@deployingradius.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Friday, May 02, 2008 11:33 AM Subject: Re: FS trying to authenticate accounting data
Jim L. wrote: ...
Sending proxied request internally to virtual server. server ImagineNet_Detail { auth: No authenticate method (Auth-Type) configuration found for the
Ugh. The code that does the internal proxying doesn't check for auth/acct differences. Oops.
Try the attached patch. If it works, I'll commit it.
Alan DeKok.
--------------------------------------------------------------------------------
Index: src/main/event.c =================================================================== RCS file: /source/radiusd/src/main/event.c,v retrieving revision 1.100 diff -u -r1.100 event.c --- src/main/event.c 20 Apr 2008 15:00:06 -0000 1.100 +++ src/main/event.c 2 May 2008 15:37:25 -0000 @@ -1176,6 +1176,7 @@ static int proxy_to_virtual_server(REQUEST *request) { REQUEST *fake; + RAD_REQUEST_FUNP fun;
if (!request->home_server || !request->home_server->server) return 0;
@@ -1193,6 +1194,17 @@ fake->packet->vps = paircopy(request->proxy->vps); fake->server = request->home_server->server;
+ if (request->proxy->code == PW_AUTHENTICATION_REQUEST) { + fun = rad_authenticate; + + } else if (request->proxy->code == PW_ACCOUNTING_REQUEST) { + fun = rad_accounting; + + } else { + DEBUG2("Unknown packet type %d", request->proxy->code); + return 0; + } + DEBUG2(">>> Sending proxied request internally to virtual server."); radius_handle_request(fake, rad_authenticate); DEBUG2("<<< Received proxied response from internal virtual server.");
--------------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jim L. wrote:
I recompiled with this patch, however, I am getting the same results as before.
Sorry...
DEBUG2(">>> Sending proxied request internally to virtual server."); radius_handle_request(fake, rad_authenticate);
Change this line to: radius_handle_request(fake, fun);
DEBUG2("<<< Received proxied response from internal virtual server.");
It was a typo in the original patch. Alan DeKok.
Alan, The modifications to event.c now allow the server to correctly log to the detail file. That portion appears to be fixed. However, it appears that FS is still attempting to authenticate the accounting packet.
Sending proxied request internally to virtual server. server ImagineNet_Detail { +- entering group accounting expand: /var/log/radius/radacct/imaginenet/detail-%Y%m%d -> /var/log/radius/radacct/imaginenet/detail-20080504 rlm_detail: /var/log/radius/radacct/imaginenet/detail-%Y%m%d expands to /var/log/radius/radacct/imaginenet/detail-20080504 expand: %t -> Sun May 4 16:25:23 2008 ++[detail.imaginenet] returns ok } # server ImagineNet_Detail Going to the next request <<< Received proxied response from internal virtual server. Login incorrect (Home Server says so): [jlohiser@imaginenet.net/<no User-Password attribute>] (from client fw1.cle1.oh.imaginenet.net port 0) Sending Access-Reject of id 0 to 192.168.0.10 port 62518 Finished request 0.
Jim Lohiser ----- Original Message ----- From: "Alan DeKok" <aland@deployingradius.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Saturday, May 03, 2008 3:45 AM Subject: Re: FS trying to authenticate accounting data
Jim L. wrote:
I recompiled with this patch, however, I am getting the same results as before.
Sorry...
DEBUG2(">>> Sending proxied request internally to virtual server."); radius_handle_request(fake, rad_authenticate);
Change this line to:
radius_handle_request(fake, fun);
DEBUG2("<<< Received proxied response from internal virtual server.");
It was a typo in the original patch.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jim L. wrote:
Alan,
The modifications to event.c now allow the server to correctly log to the detail file. That portion appears to be fixed. However, it appears that FS is still attempting to authenticate the accounting packet.
Ok.. I've put the fix in CVS. I've been having a confused few days... Alan DeKok.
participants (2)
-
Alan DeKok -
Jim L.