Some users getting duplicate "NULL" acctstoptime records in radacct
Hi All, I have a weird problem with my freeradius 2.1.6 setup which I have not yet been able to fix. Actually, the problem is I don't understand what the hell is going on. I'm using mysql for storing auth and acct info. I'm also using sql based simultaneous use checking to prevent a user from logging in more than once. For the most part, things are working well. However, we see some people with an already active session (acctstoptime is set to NULL) get logged in again and then get a NEW row added to radacct with the acctstoptime set to NULL. So, effectively, freeradius shows TWO live sessions for the same user. When we check the NASes, we see two sessions for the same user there as well. I've run radius in debug mode, reviewed the logs, checked the configs, and I'm still lost on this. I do see people getting rejected when they try to log in more than once, which tells me the simultaneous checking is working. I don't understand why this is happening. What I'd expect to happen if accounting stop packets got lost would be the user getting rejected if he/she tried to log in again, but definitely would NOT expect seeing a NEW record in radacct with acctstoptime set to NULL. So, how could this happen? If it helps, I'm not using an ippool at the moment. I have IPs assigned to the user with entries in radreply (framed-ip-address). Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.29-170.2.78.fc10.x86_64 x86_64 GNU/Linux 19:43:28 up 3 days, 20:40, 3 users, load average: 0.21, 0.39, 0.76
Kanwar Ranbir Sandhu wrote:
. ... So, effectively, freeradius shows TWO live sessions for the same user. When we check the NASes, we see two sessions for the same user there as well.
Then the user has logged in twice. There really ARE two sessions.
I've run radius in debug mode, reviewed the logs, checked the configs, and I'm still lost on this. I do see people getting rejected when they try to log in more than once, which tells me the simultaneous checking is working.
Except for those people who log in twice. If the NAS shows that they have two sessions, then they have two sessions. Alan DeKok.
On Thu, 2009-08-20 at 08:55 +0200, Alan DeKok wrote:
. ... So, effectively, freeradius shows TWO live sessions for the same user. When we check the NASes, we see two sessions for the same user there as well.
Then the user has logged in twice. There really ARE two sessions.
Ok, fair enough. But, I've set up freeradius to not allow more than one session. How is a new row being added to radacct when the first one for the same user still has "acctstoptime" as NULL? I thought the sql queries were designed to stop that when using simultaneous checks, which I have set to 1. At worst, I expected the user to be denied access if, for example, the DB wasn't cleaned up after a NAS power loss, or after some event at the customer end.
Except for those people who log in twice.
If the NAS shows that they have two sessions, then they have two sessions.
I still don't understand how two live records for the same user can exist in radacct. The first live row should result in an access reject being generated by freeradius. I think something is wrong with my sql setup. I just don't know what it could be after pouring over everything. What could I be missing? Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.29-170.2.78.fc10.x86_64 x86_64 GNU/Linux 11:45:32 up 4 days, 12:42, 5 users, load average: 1.21, 1.18, 0.91
Kanwar Ranbir Sandhu wrote:
Ok, fair enough. But, I've set up freeradius to not allow more than one session. How is a new row being added to radacct when the first one for the same user still has "acctstoptime" as NULL? I thought the sql queries were designed to stop that when using simultaneous checks, which I have set to 1.
Yes... that's *supposed* to happen, but there may be reasons for it not actually happening. e.g. race conditions, where the same user logs in twice, 1/10s apart. or maybe it's not the "same" username...
I still don't understand how two live records for the same user can exist in radacct. The first live row should result in an access reject being generated by freeradius. I think something is wrong with my sql setup. I just don't know what it could be after pouring over everything. What could I be missing?
Go over the records again. Are they for the *same* user? Alan DeKok.
On Fri, 2009-08-21 at 08:47 +0200, Alan DeKok wrote:
Yes... that's *supposed* to happen, but there may be reasons for it not actually happening.
e.g. race conditions, where the same user logs in twice, 1/10s apart. or maybe it's not the "same" username...
The race condition - ok. However, I'm 100% sure the username is the same. Otherwise, our sql query for duplicate rows wouldn't return anything, unless they're differing in some other manner. But, then I don't what that difference could be.
Go over the records again. Are they for the *same* user?
Yes, I'm sure. Lately, the duplicate entries have died down to near 0. We're now running cleanup jobs to remove any duplicate rows, and to "close" records for users that no longer have sessions on the NAS or that haven't been updated within 20 minutes. This appears to have fixed a lot of the problems we were having (admittedly, we should have implemented these cleanup procedures in the first place). I should mention the duplicate/triplicate/or more rows problem only happens when we've had to do mass kills on the NAS end, which then results in thousands of auth requests eventually hitting freeradius. This is likely where the race conditions are coming into play. mysql doesn't write the first record fast enough before the second, third, etc. are received and begin writing, too. I need to get the decoupled accounting, or at the very least, buffered sql working. BTW, what's the difference the two? Is one better than the other? Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.29-170.2.78.fc10.x86_64 x86_64 GNU/Linux 11:44:44 up 10 days, 12:41, 5 users, load average: 1.41, 0.83, 0.43
Sorry again for the BASIC question! I *occasionally* slam people on other lists for being .... well, basically helpless - and here I am asking what I think is a really stupid question! Humble pie anyone? Let me take a sec to thank the development team for a very flexible product! Seems you can do pretty much anything you'd ever need to! Did Ci$co steal your code for ACS 5.0? :) Once I familiarize myself with the in's and out's I hope to contribute to the community where I can, probably with docs, use cases, examples, etc. Now my current issue. I have read a lot of doc (some 3 and 4 times) and am close to getting my head around how FR works and the various process flow, however, I still can't determine the best way to address this problem: I have several different type's of clients/NAS's that will be using FR as the Front End to perform AAA - mostly Authentication, but the Author and Acct are close behind. Anyway, each of these clients need to perform slightly different backend queries to determine if Authenticate should pass or fail: Type 1: Networking Hardware Management Access (VTY) - Routers, switches, VPN concentrators, firewalls, etc. - Auth pass if creds are good AND user is member of NetEng group in AD; else fail Type 2: IPSec VPN Access - RAS to HQ via IPSec (Ci$c0 ASA at HQ) - Several profiles/groups will exist on ASA with different properties: - NetEng, SysAdmins, Basic Users, etc. - Auth pass if creds are good AND user is member of "RAS" group in AD Type 3 ... etc. So, how do I go about this? I'm currently using NTLM_Auth and that's all working fine, I'm just not sure how to say in FR config: if request of type 1, run this NTLM_Auth command and check for this group; If request of type 2 run this other NTLM_Auth command and check for this other group. Would this be something in the huntgroup file? TIA for replies - back to more reading and trials for me! Gary <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
$hit - I just remembered. Eventually the Type 1 devices, specifically network switches, will be doing two different types of auth: vty access for admins only and 802.1x auth for all users! So, I can't process simply on NAS IP alone. I'm assuming there will be some diffs in the request packets sent to FR for vty, dot1x, etc. - but haven't got that far yet. I know when I get this figured out it will be SO simple and I'll feel like even a bigger dumb-a$$ than I do already, but at least I'll be a less busy dumb-a$$! :) TIA Gary -----Original Message----- From: Gary Gatten Sent: Wednesday, August 26, 2009 3:58 PM To: 'FreeRadius users mailing list' Subject: BASIC question, but still having conceptual issues Sorry again for the BASIC question! I *occasionally* slam people on other lists for being .... well, basically helpless - and here I am asking what I think is a really stupid question! Humble pie anyone? Let me take a sec to thank the development team for a very flexible product! Seems you can do pretty much anything you'd ever need to! Did Ci$co steal your code for ACS 5.0? :) Once I familiarize myself with the in's and out's I hope to contribute to the community where I can, probably with docs, use cases, examples, etc. Now my current issue. I have read a lot of doc (some 3 and 4 times) and am close to getting my head around how FR works and the various process flow, however, I still can't determine the best way to address this problem: I have several different type's of clients/NAS's that will be using FR as the Front End to perform AAA - mostly Authentication, but the Author and Acct are close behind. Anyway, each of these clients need to perform slightly different backend queries to determine if Authenticate should pass or fail: Type 1: Networking Hardware Management Access (VTY) - Routers, switches, VPN concentrators, firewalls, etc. - Auth pass if creds are good AND user is member of NetEng group in AD; else fail Type 2: IPSec VPN Access - RAS to HQ via IPSec (Ci$c0 ASA at HQ) - Several profiles/groups will exist on ASA with different properties: - NetEng, SysAdmins, Basic Users, etc. - Auth pass if creds are good AND user is member of "RAS" group in AD Type 3 ... etc. So, how do I go about this? I'm currently using NTLM_Auth and that's all working fine, I'm just not sure how to say in FR config: if request of type 1, run this NTLM_Auth command and check for this group; If request of type 2 run this other NTLM_Auth command and check for this other group. Would this be something in the huntgroup file? TIA for replies - back to more reading and trials for me! Gary <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Eventually the Type 1 devices, specifically network switches, will be doing two different types of auth: vty access for admins only and 802.1x auth for all users! So, I can't process simply on NAS IP alone. I'm assuming there will be some diffs in the request packets sent to FR for vty, dot1x, etc. - but haven't got that far yet.
I know when I get this figured out it will be SO simple and I'll feel like even a bigger dumb-a$$ than I do already, but at least I'll be a less busy dumb-a$$! :)
Service-Type. Type 1 will be Nas-Prompt-User or Administartive-User. 2 should be Framed-User just as 802.1x but NAS-Port-Type will tell you if it is wireless. Construct unlang if statement filters using Service-Type and Ldap-Group (AD group). Ivan Kalik Kalik Informatika ISP
Gary Gatten wrote:
I have several different type's of clients/NAS's that will be using FR as the Front End to perform AAA - mostly Authentication, but the Author and Acct are close behind.
Use virtual servers. See raddb/sites-available/README
Anyway, each of these clients need to perform slightly different backend queries to determine if Authenticate should pass or fail:
So, how do I go about this?
Configure completely different virtual servers, even if the contents of those servers are mostly the same. This lets you work like each type of NAS has it's own RADIUS server, with it's own policies.
I'm currently using NTLM_Auth and that's all working fine, I'm just not sure how to say in FR config: if request of type 1, run this NTLM_Auth command and check for this group; If request of type 2 run this other NTLM_Auth command and check for this other group.
You'll also need to configure different instances of the MSCHAP module, too. Alan DeKok.
participants (4)
-
Alan DeKok -
Gary Gatten -
Ivan Kalik -
Kanwar Ranbir Sandhu