Proxies "status-server" pings are broken when virtual server "status" is enabled
Olivier Beytrison
olivier at heliosnet.org
Mon Jan 28 09:23:57 CET 2013
Hello,
I've enabled the default virtual-server "status" to get some stats out
of FR3. Default configuration except for the password off course.
Works very well... gives nice info... but later I noticed that the
remote proxies received Access-Rejects to their status-server pings.
Made some tests and that's what I found. Normal case without the
"status" virtual server enabled, I get the following output :
rad_recv: Status-Server packet from host 195.176.12.14 port 1814,
id=226, length=70
Message-Authenticator = 0x04be96ea125b0c4b93f1c79e3e2bae64
NAS-Identifier = "Status Check 1. Are you alive?"
(0) # Executing section post-auth from file
/etc/freeradius/sites-enabled/eduroam
(0) group post-auth {
(0) - entering group post-auth {...}
[snip of reply_log junk]
(0) [reply_log] = ok
(0) ? if (User-Name && "%{realm}" != 'hes-so.ch')
(0) ? Evaluating (User-Name ) -> FALSE
(0) ? Skipping ("%{realm}" != 'hes-so.ch')
(0) ? if (User-Name && "%{realm}" != 'hes-so.ch') -> FALSE
Sending Access-Accept of id 226 from 160.98.240.20 port 1812 to
195.176.12.14 port 1814
(0) Finished request 0.
Now when the virtual-server "status" is enabled
rad_recv: Status-Server packet from host 195.176.12.14 port 1814,
id=180, length=70
Message-Authenticator = 0xf2c18ba68bae0de068bf8d9ed96b4c96
NAS-Identifier = "Status Check 0. Are you alive?"
(0) WARNING: Unknown value specified for Autz-Type. Cannot perform
requested action.
(0) # Executing group from file /etc/freeradius/sites-enabled/eduroam
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/sites-enabled/eduroam
(0) group REJECT {
(0) - entering group REJECT {...}
(0) sql : expand: '.query' -> '.query'
[snip of sql junk]
(0) [sql] = ok
(0) Finished request 0.
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed reject
Sending Access-Reject of id 180 from 160.98.240.20 port 1812 to
195.176.12.14 port 1814
This comes from the fact that in the status virtual-server, the
"Autz-Type status-server" stanza is defined. But in the current virtual
server receiving the "ping" (eduroam) it's not defined,so it triggers an
reject message.
Well in the end it doesn't change much as the remote server will still
mark the server alive after receiving 3 access-reject in response to his
status-server.
But is this behaviour wanted ?
Olivier
--
Olivier Beytrison
Network & Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: olivier at heliosnet.org
More information about the Freeradius-Devel
mailing list