Return no answer to the client if proxied access request times out
Hi, we're running Freeradius 3.0.13 (the most recent version available for our production environment running RedHat Enterprise 7.5) and we configured two home_server blocks in a pool to which we proxy Access requests for realm sas: home_server sas_tn_1 { type = auth+acct ipaddr = x.x.x.x port = 1812 secret = --SECRET-- require_message_authenticator = yes response_window = 20 revive_interval = 120 status_check = none } home_server sas_mi_1 { # auth+acct type handles auth requests on specified port and acct requests on port+1 type = auth+acct ipaddr = y.y.y.y port = 1812 secret = --SECRET-- require_message_authenticator = yes response_window = 20 revive_interval = 120 status_check = none } home_server_pool sas_pool_failover { type = fail-over home_server = sas_tn_1 home_server = sas_mi_1 } # SAS realm for OTP+Token access to routers realm sas { pool = sas_pool_failover } we did not configure no_response_fail parameter, so if I've understood well from the docs, Freeradius should not reply to the Access-Request of the client NAS if the proxied access request times out, right? What I see is an Access-Reject from Freeradius server after the response_window expires, why? What am I missing? Best regards, Gianni Costanzi
On Jan 16, 2019, at 3:37 AM, Gianni Costanzi <gianni.costanzi@gmail.com> wrote:
we're running Freeradius 3.0.13 (the most recent version available for our production environment running RedHat Enterprise 7.5)
There are updated packages on http://packages.networkradius.com You can also build your own packages. I've never understood the attitude of "we're going to run software that's years out of date because that's what our vendor supplies". The vendor is there to make *you* happy. If the software they supply is out of date, complain. Or switch vendors. Or build your own.
we did not configure no_response_fail parameter, so if I've understood well from the docs, Freeradius should not reply to the Access-Request of the client NAS if the proxied access request times out, right?
That was removed a long time ago. There's another way to do it now. Instead of a config option, do: Post-Proxy-Type Fail { do_not_respond } That should fix it. It's also a more generic process. It works in more places, requires less C code, and is more configurable on your end.
What I see is an Access-Reject from Freeradius server after the response_window expires, why?
What am I missing?
The config still showed no_response_fail, when the code was removed from the server a long time ago. I've updated the current configuration to remove the references to no_response_fail. Alan DeKok.
Hi Alan, Thank you for your answer. Actually we can install only from official Redhat Enterprise repositories, due to internal policies which are quite restrictive. Unfortunately it’s not so easy to switch vendor when you’re working in big companies that must comply to tens of policies (due to ISOs, PCI-DSS, GDPR), I perfectly understood what you say and I have your attitude when working on my own systems. BTW, where should the following code snipped be placed? In which file/section? Post-Proxy-Type Fail { do_not_respond } Best regards, Gianni Costanzi Il giorno mer 16 gen 2019 alle 13:45 Alan DeKok <aland@deployingradius.com> ha scritto:
On Jan 16, 2019, at 3:37 AM, Gianni Costanzi <gianni.costanzi@gmail.com> wrote:
we're running Freeradius 3.0.13 (the most recent version available for our production environment running RedHat Enterprise 7.5)
There are updated packages on http://packages.networkradius.com
You can also build your own packages.
I've never understood the attitude of "we're going to run software that's years out of date because that's what our vendor supplies". The vendor is there to make *you* happy. If the software they supply is out of date, complain. Or switch vendors. Or build your own.
we did not configure no_response_fail parameter, so if I've understood well from the docs, Freeradius should not reply to the Access-Request of the client NAS if the proxied access request times out, right?
That was removed a long time ago.
There's another way to do it now. Instead of a config option, do:
Post-Proxy-Type Fail { do_not_respond }
That should fix it. It's also a more generic process. It works in more places, requires less C code, and is more configurable on your end.
What I see is an Access-Reject from Freeradius server after the response_window expires, why?
What am I missing?
The config still showed no_response_fail, when the code was removed from the server a long time ago. I've updated the current configuration to remove the references to no_response_fail.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- --< Sent from GMail mobile >-- -------------------------------------------------------------------------------------------------------------- Find me on LinkedIn: http://it.linkedin.com/in/giannicostanzi My blog: http://networkingpills.wordpress.com My best photos on 500px: http://500px.com/GianniCostanzi PGP Key Fingerprint: 2404 1798 E01F F6BF 0FA3 AA07 B6D5 040F 2EDD 456A --------------------------------------------------------------------------------------------------------------
On Jan 18, 2019, at 6:17 AM, Gianni Costanzi <gianni.costanzi@gmail.com> wrote:
Thank you for your answer. Actually we can install only from official Redhat Enterprise repositories, due to internal policies which are quite restrictive. Unfortunately it’s not so easy to switch vendor when you’re working in big companies that must comply to tens of policies (due to ISOs, PCI-DSS, GDPR), I perfectly understood what you say and I have your attitude when working on my own systems.
I tend to be cynical about "security" policies that prevent security from happening...
BTW, where should the following code snipped be placed? In which file/section?
Post-Proxy-Type Fail { do_not_respond }
In the "Post-Proxy-Type" subsection... $ cd /etc/raddb $ grep -r -- 'Post-Proxy-Type' Takes 2 minutes... And if you read the debug output, it will show that it's running a post-proxy subsection. See sites-available/default. It's all there.... Alan DeKok.
I tend to be cynical about "security" policies that prevent security from happening...
I understand your point... unfortunately burocracy is killing us nowadays, slowing everything and preventing us to work as we should...
$ cd /etc/raddb $ grep -r -- 'Post-Proxy-Type'
Takes 2 minutes...
And if you read the debug output, it will show that it's running a post-proxy subsection.
See sites-available/default. It's all there....
Alan DeKok.
I'm sorry, you're perfectly right and I've did the same few minutes before your mail. Thank you for the support, have a nice weekend Gianni
Hi Alan, just an additional question... Is Post-Proxy-Type Fail-Authentication triggered both when a selected home-server times out and also when no home-servers are available in the realm's pool (maybe because they're all marked as zombies)? Gianni On Fri, Jan 18, 2019 at 3:09 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jan 18, 2019, at 6:17 AM, Gianni Costanzi <gianni.costanzi@gmail.com> wrote:
Thank you for your answer. Actually we can install only from official Redhat Enterprise repositories, due to internal policies which are quite restrictive. Unfortunately it’s not so easy to switch vendor when you’re working in big companies that must comply to tens of policies (due to ISOs, PCI-DSS, GDPR), I perfectly understood what you say and I have your attitude when working on my own systems.
I tend to be cynical about "security" policies that prevent security from happening...
BTW, where should the following code snipped be placed? In which file/section?
Post-Proxy-Type Fail { do_not_respond }
In the "Post-Proxy-Type" subsection...
$ cd /etc/raddb $ grep -r -- 'Post-Proxy-Type'
Takes 2 minutes...
And if you read the debug output, it will show that it's running a post-proxy subsection.
See sites-available/default. It's all there....
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 18, 2019, at 9:52 AM, Gianni Costanzi <gianni.costanzi@gmail.com> wrote:
Hi Alan, just an additional question... Is Post-Proxy-Type Fail-Authentication triggered both when a selected home-server times out and also when no home-servers are available in the realm's pool (maybe because they're all marked as zombies)?
Before 3.0.16, it only runs when the home server doesn't respond. For 3.0.16 and later, it can also run when the home servers are all dead. Alan DeKok.
participants (2)
-
Alan DeKok -
Gianni Costanzi