I'm still fairly new to freeradius so be gentle :) I'm setting up radsec and I had a question on home_server failover. Since the home_server is by necessity set to 'tcp', radiusd errors out with a message that 'status_check' must be set to 'none', if you try to set it to anything. Does that mean it's not possible to do failover with radsec proxies? I've got a home_server pool set up with two nodes. When I take down the first-listed home_server with tcpdump running, the freeradius on the 'client' side just keeps trying to hit the now-disabled server and never attempts the secondary. Presumably I'm missing something but google is no help so far. I can paste configs but I wanted to see first if it was known to just not be possible. Version is 3.0.4 (on Centos 7.1). The 3.0.4 -> 3.0.10 changelogs didn't have anything promising that sounded like this. Thanks!
On Dec 29, 2015, at 3:52 PM, Mark Moseley <moseleymark@gmail.com> wrote:
Since the home_server is by necessity set to 'tcp', radiusd errors out with a message that 'status_check' must be set to 'none', if you try to set it to anything.
Because TCP is a reliable protocol. You don't need to do status checks. If the connection is up, the home server is alive.
Does that mean it's not possible to do failover with radsec proxies?
It should be possible to do fail-over. If all of the TCP connections are down, the home server is down.
I've got a home_server pool set up with two nodes. When I take down the first-listed home_server with tcpdump running, the freeradius on the 'client' side just keeps trying to hit the now-disabled server and never attempts the secondary. Presumably I'm missing something but google is no help so far.
It should do fail-over when it determines that the first home server is down. Do you have a simple configuration which reproduces this? And... as always... the debug output? Alan DeKok.
On Dec 29, 2015, at 3:52 PM, Mark Moseley <moseleymark@gmail.com> wrote:
Does that mean it's not possible to do failover with radsec proxies?
After looking at the code... the logic for proxy fail-over was broken for TCP / RadSec home servers. I've pushed a fix. Please try the latest version from github: https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x And click on "download zip". Then build && install as usual. Alan DeKok.
Got that compiled yesterday, using the zip file as you instructed above. I'm seeing the same behavior. I ran a tcpdump on the same console as radtest, which is what I pasted below (after some obfuscation). The remote server is obviously down at the moment (or at least radiusd isn't running on it). I should note that when the remote server is up, everything is working ok (i.e. there's not other issues going on too -- well, at least with getting the proxy talking to a remote radsec box). Since you beat me to the punch after your first email, do you still want me to paste a config and/or debug output? This is running from the "client", or whatever you'd call the client side of the proxy. 20.30.40.50 is the first home_server listed in home_server_pool (though there's also another server too) # while true; do radtest mytestuser mytestpass localhost 0 mysecret:; sleep 10; done Sent Access-Request Id 98 from 0.0.0.0:49914 to 127.0.0.1:1812 length 75 User-Name = "mytestuser" User-Password = "mytestpass" NAS-IP-Address = 50.60.70.80 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "mytestpass" 19:12:17.450942 IP 50.60.70.80.58927 > 20.30.40.50.radsec: Flags [S], seq 2472432844, win 14600, options [mss 1460,sackOK,TS val 987707727 ecr 0,nop,wscale 7], length 0 19:12:17.580284 IP 20.30.40.50.radsec > 50.60.70.80.58927: Flags [R.], seq 0, ack 2472432845, win 0, length 0 Received Access-Reject Id 98 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject Sent Access-Request Id 143 from 0.0.0.0:40399 to 127.0.0.1:1812 length 75 User-Name = "mytestuser" User-Password = "mytestpass" NAS-IP-Address = 50.60.70.80 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "mytestpass" 19:12:27.635455 IP 50.60.70.80.34444 > 20.30.40.50.radsec: Flags [S], seq 2685422050, win 14600, options [mss 1460,sackOK,TS val 987717912 ecr 0,nop,wscale 7], length 0 19:12:27.784170 IP 20.30.40.50.radsec > 50.60.70.80.34444: Flags [R.], seq 0, ack 2685422051, win 0, length 0 Received Access-Reject Id 143 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject Sent Access-Request Id 103 from 0.0.0.0:35318 to 127.0.0.1:1812 length 75 User-Name = "mytestuser" User-Password = "mytestpass" NAS-IP-Address = 50.60.70.80 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "mytestpass" 19:12:37.845284 IP 50.60.70.80.54566 > 20.30.40.50.radsec: Flags [S], seq 955991257, win 14600, options [mss 1460,sackOK,TS val 987728122 ecr 0,nop,wscale 7], length 0 19:12:37.937708 IP 20.30.40.50.radsec > 50.60.70.80.54566: Flags [R.], seq 0, ack 955991258, win 0, length 0 Received Access-Reject Id 103 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject Sent Access-Request Id 251 from 0.0.0.0:57298 to 127.0.0.1:1812 length 75 User-Name = "mytestuser" User-Password = "mytestpass" NAS-IP-Address = 50.60.70.80 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "mytestpass" 19:12:47.993086 IP 50.60.70.80.50863 > 20.30.40.50.radsec: Flags [S], seq 3854829847, win 14600, options [mss 1460,sackOK,TS val 987738269 ecr 0,nop,wscale 7], length 0 19:12:48.137304 IP 20.30.40.50.radsec > 50.60.70.80.50863: Flags [R.], seq 0, ack 3854829848, win 0, length 0 Received Access-Reject Id 251 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject Sent Access-Request Id 88 from 0.0.0.0:55058 to 127.0.0.1:1812 length 75 User-Name = "mytestuser" User-Password = "mytestpass" NAS-IP-Address = 50.60.70.80 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "mytestpass" 19:12:58.188965 IP 50.60.70.80.38221 > 20.30.40.50.radsec: Flags [S], seq 738688619, win 14600, options [mss 1460,sackOK,TS val 987748465 ecr 0,nop,wscale 7], length 0 19:12:58.341431 IP 20.30.40.50.radsec > 50.60.70.80.38221: Flags [R.], seq 0, ack 738688620, win 0, length 0 Received Access-Reject Id 88 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject Sent Access-Request Id 27 from 0.0.0.0:51948 to 127.0.0.1:1812 length 75 User-Name = "mytestuser" User-Password = "mytestpass" NAS-IP-Address = 50.60.70.80 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "mytestpass" 19:13:08.397400 IP 50.60.70.80.47190 > 20.30.40.50.radsec: Flags [S], seq 410953500, win 14600, options [mss 1460,sackOK,TS val 987758674 ecr 0,nop,wscale 7], length 0 19:13:08.579860 IP 20.30.40.50.radsec > 50.60.70.80.47190: Flags [R.], seq 0, ack 410953501, win 0, length 0 Received Access-Reject Id 27 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject Sent Access-Request Id 253 from 0.0.0.0:53101 to 127.0.0.1:1812 length 75 User-Name = "mytestuser" User-Password = "mytestpass" NAS-IP-Address = 50.60.70.80 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "mytestpass" 19:13:18.630647 IP 50.60.70.80.44606 > 20.30.40.50.radsec: Flags [S], seq 4018763811, win 14600, options [mss 1460,sackOK,TS val 987768907 ecr 0,nop,wscale 7], length 0 19:13:18.783091 IP 20.30.40.50.radsec > 50.60.70.80.44606: Flags [R.], seq 0, ack 4018763812, win 0, length 0 Received Access-Reject Id 253 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject Sent Access-Request Id 243 from 0.0.0.0:48829 to 127.0.0.1:1812 length 75 User-Name = "mytestuser" User-Password = "mytestpass" NAS-IP-Address = 50.60.70.80 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "mytestpass" 19:13:28.834195 IP 50.60.70.80.38686 > 20.30.40.50.radsec: Flags [S], seq 1036066238, win 14600, options [mss 1460,sackOK,TS val 987779111 ecr 0,nop,wscale 7], length 0 19:13:28.927031 IP 20.30.40.50.radsec > 50.60.70.80.38686: Flags [R.], seq 0, ack 1036066239, win 0, length 0 Received Access-Reject Id 243 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject Sent Access-Request Id 160 from 0.0.0.0:46023 to 127.0.0.1:1812 length 75 User-Name = "mytestuser" User-Password = "mytestpass" NAS-IP-Address = 50.60.70.80 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "mytestpass" 19:13:38.976504 IP 50.60.70.80.56515 > 20.30.40.50.radsec: Flags [S], seq 2611695183, win 14600, options [mss 1460,sackOK,TS val 987789253 ecr 0,nop,wscale 7], length 0 19:13:39.199505 IP 20.30.40.50.radsec > 50.60.70.80.56515: Flags [R.], seq 0, ack 2611695184, win 0, length 0 Received Access-Reject Id 160 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject Sent Access-Request Id 86 from 0.0.0.0:60842 to 127.0.0.1:1812 length 75 User-Name = "mytestuser" User-Password = "mytestpass" NAS-IP-Address = 50.60.70.80 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "mytestpass" 19:13:49.246574 IP 50.60.70.80.53775 > 20.30.40.50.radsec: Flags [S], seq 1888993182, win 14600, options [mss 1460,sackOK,TS val 987799523 ecr 0,nop,wscale 7], length 0 19:13:49.401074 IP 20.30.40.50.radsec > 50.60.70.80.53775: Flags [R.], seq 0, ack 1888993183, win 0, length 0 Received Access-Reject Id 86 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject ^[[A^C On Tue, Dec 29, 2015 at 1:27 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 29, 2015, at 3:52 PM, Mark Moseley <moseleymark@gmail.com> wrote:
Does that mean it's not possible to do failover with radsec proxies?
After looking at the code... the logic for proxy fail-over was broken for TCP / RadSec home servers. I've pushed a fix. Please try the latest version from github:
https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x
And click on "download zip". Then build && install as usual.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Dec 30, 2015, at 2:03 PM, Mark Moseley <moseleymark@gmail.com> wrote:
Got that compiled yesterday, using the zip file as you instructed above. I'm seeing the same behavior. I ran a tcpdump on the same console as radtest, which is what I pasted below (after some obfuscation).
How about posting the debug output of the proxy, as suggested in the FAQ, README, "man" page, web pages, and daily on this list? I have *no idea* why people are so insistent on posting client and/or tcpdump output. I don't care to see the packets. I care to see what *THE SERVER* is doing. And the only way to tell that is to look at the debug logs.
Since you beat me to the punch after your first email, do you still want me to paste a config and/or debug output?\
Debug logs. From the server. PLEASE.
This is running from the "client", or whatever you'd call the client side of the proxy. 20.30.40.50 is the first home_server listed in home_server_pool (though there's also another server too)
All of the client / tcpdump output is useless and a waste of time. Alan DeKok.
participants (2)
-
Alan DeKok -
Mark Moseley