Proxy to multiple servers in FR 2.1.7

Patric patricrt at gmail.com
Fri Nov 13 09:26:10 CET 2009


Hi Craig,

Thanks for you response. I have tried to implement this but Im going 
wrong somewhere. Below I will show my configuration, then the debug that 
shows what the server is doing.

First my 2 detail files.

modules/detail:
---------------

detail detail-radrelay {
        detailfile = ${radacctdir}/detail-combined
        detailperm = 0600
        dirperm = 0755
        locking = yes
}

detail detail-radrelay2 {
        detailfile = ${radacctdir}/detail-combined2
        detailperm = 0600
        dirperm = 0755
        locking = yes
}


Then in my accounting section I write incoming packets to both detail files.

sites-enable/default:

accounting {
        detail-radrelay
        detail-radrelay2
}

The above then writes any incoming packets to 2 files "detail-combined" 
and "detail-combined2". Cool, so now I need to process one and send it 
to server A and process the other and send it to server B.

I already have the following which processes detail-combined and sends 
to server A (for all realms).

proxy.conf:
-----------

home_server copy-acct-to-home-server {
        type   = acct
        ipaddr = server.A.ip
        port   = 1813
        secret = server_A_secret
}

home_server_pool my_acct_failover {
        home_server = copy-acct-to-home-server
}

realm DEFAULT {
        acct_pool = my_acct_failover
        nostrip
}


sites-enabled/copy-acct-to-home-server:
---------------------------------------

server copy-acct-to-home-server {
        listen {
                type = detail
                filename = ${radacctdir}/detail-combined
        }
        accounting {
                   ok
        }
}


So now there is already a home_server_pool assigned to the default 
realm, but I continue and create a home_server entry for server B

proxy.conf (now including home_server entry for server B):
----------------------------------------------------------

home_server copy-acct-to-home-server {
        type   = acct
        ipaddr = server.A.ip
        port   = 1813
        secret = server_A_secret
}

home_server copy-acct-to-server-B {
        type   = acct
        ipaddr = server.B.ip
        port   = 1813
        secret = server_B_secret
}

home_server_pool my_acct_failover {
        home_server = copy-acct-to-home-server
}

realm DEFAULT {
        acct_pool = my_acct_failover
        nostrip
}


And corresponding sites-enabled files.

sites-enabled/copy-acct-to-home-server:
---------------------------------------

server copy-acct-to-home-server {
        listen {
                type = detail
                filename = ${radacctdir}/detail-combined
        }
        accounting {
                   ok
        }
}

sites-enabled/copy-acct-to-server-B:
---------------------------------------

server copy-acct-to-home-server {
        listen {
                type = detail
                filename = ${radacctdir}/detail-combined2
        }
        accounting {
                   ok
        }
}


Now I fire up radiusd in debug mode and send a test packet to the server 
to see what it does. As the debug shows, it gets the packet, writes it 
to the detail-combined2. Then the listener copy-acct-to-server-B picks 
up the detail-combined2 and processes it, but instead of sending to 
server B its sending to server A

Fri Nov 13 09:19:57 2009 : Debug:  Module: Instantiating detail-radrelay2
Fri Nov 13 09:19:57 2009 : Debug:   detail detail-radrelay2 {
Fri Nov 13 09:19:57 2009 : Debug:       detailfile = 
"/var/log/radius/radacct/detail-combined2"
Fri Nov 13 09:19:57 2009 : Debug:       header = "%t"
Fri Nov 13 09:19:57 2009 : Debug:       detailperm = 384
Fri Nov 13 09:19:57 2009 : Debug:       dirperm = 493
Fri Nov 13 09:19:57 2009 : Debug:       locking = yes
Fri Nov 13 09:19:57 2009 : Debug:       log_packet_header = no
Fri Nov 13 09:19:57 2009 : Debug:   }
Fri Nov 13 09:19:57 2009 : Debug:  Module: Instantiating detail-radrelay
Fri Nov 13 09:19:57 2009 : Debug:   detail detail-radrelay {
Fri Nov 13 09:19:57 2009 : Debug:       detailfile = 
"/var/log/radius/radacct/detail-combined"
Fri Nov 13 09:19:57 2009 : Debug:       header = "%t"
Fri Nov 13 09:19:57 2009 : Debug:       detailperm = 384
Fri Nov 13 09:19:57 2009 : Debug:       dirperm = 493
Fri Nov 13 09:19:57 2009 : Debug:       locking = yes
Fri Nov 13 09:19:57 2009 : Debug:       log_packet_header = no
Fri Nov 13 09:19:57 2009 : Debug:   }
Fri Nov 13 09:19:57 2009 : Debug: including configuration file 
/etc/raddb/sites-enabled/copy-acct-to-radius01
Fri Nov 13 09:19:57 2009 : Debug: including configuration file 
/etc/raddb/sites-enabled/copy-acct-to-home-server
Fri Nov 13 09:19:57 2009 : Debug: server copy-acct-to-radius01 {
Fri Nov 13 09:19:57 2009 : Debug:  modules {
Fri Nov 13 09:19:57 2009 : Debug:  Module: Checking preacct {...} for 
more modules to load
Fri Nov 13 09:19:57 2009 : Debug:     (Loaded rlm_realm, checking if 
it's valid)
Fri Nov 13 09:19:57 2009 : Debug:  Module: Linked to module rlm_realm
Fri Nov 13 09:19:57 2009 : Debug:  Module: Instantiating suffix
Fri Nov 13 09:19:57 2009 : Debug:   realm suffix {
Fri Nov 13 09:19:57 2009 : Debug:       format = "suffix"
Fri Nov 13 09:19:57 2009 : Debug:       delimiter = "@"
Fri Nov 13 09:19:57 2009 : Debug:       ignore_default = no
Fri Nov 13 09:19:57 2009 : Debug:       ignore_null = no
Fri Nov 13 09:19:57 2009 : Debug:   }
Fri Nov 13 09:19:57 2009 : Debug:  Module: Checking accounting {...} for 
more modules to load
Fri Nov 13 09:19:57 2009 : Debug:  } # modules
Fri Nov 13 09:19:57 2009 : Debug: } # server
Fri Nov 13 09:19:57 2009 : Debug: server copy-acct-to-home-server {
Fri Nov 13 09:19:57 2009 : Debug:  modules {
Fri Nov 13 09:19:57 2009 : Debug:  Module: Checking preacct {...} for 
more modules to load
Fri Nov 13 09:19:57 2009 : Debug:  Module: Checking accounting {...} for 
more modules to load
Fri Nov 13 09:19:57 2009 : Debug:  } # modules
Fri Nov 13 09:19:57 2009 : Debug: } # server
Fri Nov 13 09:19:57 2009 : Debug: Listening on detail file 
/var/log/radius/radacct/detail-combined2 as server copy-acct-to-radius01
Fri Nov 13 09:19:57 2009 : Debug: Listening on detail file 
/var/log/radius/radacct/detail-combined as server copy-acct-to-home-server
Fri Nov 13 09:19:58 2009 : Debug: Polling for detail file 
/var/log/radius/radacct/detail-combined2
Fri Nov 13 09:19:58 2009 : Debug: Polling for detail file 
/var/log/radius/radacct/detail-combined
rad_recv: Accounting-Request packet from host xxx.xxx.xxx.xxx port 
40660, id=2, length=273
        User-Name = "user at realm"
Fri Nov 13 09:19:59 2009 : Info: +- entering group preacct {...}
Fri Nov 13 09:19:59 2009 : Info: ++[preprocess] returns ok
Fri Nov 13 09:19:59 2009 : Info: +- entering group accounting {...}
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay]     expand: 
/var/log/radius/radacct/detail-combined -> 
/var/log/radius/radacct/detail-combined
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay] 
/var/log/radius/radacct/detail-combined expands to 
/var/log/radius/radacct/detail-combined
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay] Acquired filelock, 
tried 1 time(s)
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay]     expand: %t -> Fri 
Nov 13 09:19:59 2009
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay] Released filelock
Fri Nov 13 09:19:59 2009 : Info: ++[detail-radrelay] returns ok
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay2]     expand: 
/var/log/radius/radacct/detail-combined2 -> 
/var/log/radius/radacct/detail-combined2
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay2] 
/var/log/radius/radacct/detail-combined2 expands to 
/var/log/radius/radacct/detail-combined2
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay2] Acquired filelock, 
tried 1 time(s)
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay2]     expand: %t -> 
Fri Nov 13 09:19:59 2009
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay2] Released filelock
Fri Nov 13 09:19:59 2009 : Info: ++[detail-radrelay2] returns ok
Sending Accounting-Response of id 2 to xxx.xxx.xxx.xxx port 40660
        Proxy-State = 0x313433
Fri Nov 13 09:19:59 2009 : Info: Finished request 0.
Fri Nov 13 09:19:59 2009 : Info: Cleaning up request 0 ID 2 with 
timestamp +2
Fri Nov 13 09:19:59 2009 : Debug: Going to the next request


So by this point the request has been written to both detail-combined 
files, excellent. Now:


Fri Nov 13 09:19:59 2009 : Debug: Waking up in 0.3 seconds.
Fri Nov 13 09:19:59 2009 : Debug: Polling for detail file 
/var/log/radius/radacct/detail-combined
Fri Nov 13 09:19:59 2009 : Debug: detail_recv: Renaming 
/var/log/radius/radacct/detail-combined -> 
/var/log/radius/radacct/detail-combined.work
detail_recv: Read packet from /var/log/radius/radacct/detail-combined.work
        User-Name = "user at realm"
Fri Nov 13 09:19:59 2009 : Info: server copy-acct-to-server-A {
Fri Nov 13 09:19:59 2009 : Info: +- entering group preacct {...}
Fri Nov 13 09:19:59 2009 : Info: [suffix] Looking up realm "realm" for 
User-Name = "user at realm"
Fri Nov 13 09:19:59 2009 : Info: [suffix] Found realm "DEFAULT"
Fri Nov 13 09:19:59 2009 : Info: [suffix] Adding Realm = "DEFAULT"
Fri Nov 13 09:19:59 2009 : Info: [suffix] Proxying request from user 
user to realm DEFAULT
Fri Nov 13 09:19:59 2009 : Info: [suffix] Preparing to proxy accounting 
request to realm "DEFAULT"
Fri Nov 13 09:19:59 2009 : Info: ++[suffix] returns updated
Fri Nov 13 09:19:59 2009 : Info: +- entering group accounting {...}
Fri Nov 13 09:19:59 2009 : Info: ++[ok] returns ok
Fri Nov 13 09:19:59 2009 : Info: } # server copy-acct-to-server-A
Fri Nov 13 09:19:59 2009 : Info:   WARNING: Empty section.  Using 
default return values.
Sending Accounting-Request of id 121 to ip_address_of_server_A port 1813 
        User-Name = "user at realm"
Fri Nov 13 09:19:59 2009 : Info: Proxying request 2 to home server 
server_ip_A port 1813
Sending Accounting-Request of id 121 to ip_address_of_server_A port 1813 
        User-Name = "user at realm"
rad_recv: Accounting-Response packet from host ip_address_of_server_A 
port 1813, id=121, length=32
        Proxy-State = 0x313438
        Proxy-State = 0x3137383533


Ok so sending to server A worked correctly. Now:


Fri Nov 13 09:19:59 2009 : Debug: Waking up in 0.3 seconds.
Fri Nov 13 09:19:59 2009 : Debug: Polling for detail file 
/var/log/radius/radacct/detail-combined2
Fri Nov 13 09:19:59 2009 : Debug: detail_recv: Renaming 
/var/log/radius/radacct/detail-combined2 -> 
/var/log/radius/radacct/detail-combined2.work
detail_recv: Read packet from /var/log/radius/radacct/detail-combined2.work
        User-Name = "user at realm"
Fri Nov 13 09:19:59 2009 : Info: server copy-acct-to-server-B {
Fri Nov 13 09:19:59 2009 : Info: +- entering group preacct {...}
Fri Nov 13 09:19:59 2009 : Info: [suffix] Looking up realm "realm" for 
User-Name = "user at realm"
Fri Nov 13 09:19:59 2009 : Info: [suffix] Found realm "DEFAULT"
Fri Nov 13 09:19:59 2009 : Info: [suffix] Adding Realm = "DEFAULT"
Fri Nov 13 09:19:59 2009 : Info: [suffix] Proxying request from user 
user to realm DEFAULT
Fri Nov 13 09:19:59 2009 : Info: [suffix] Preparing to proxy accounting 
request to realm "DEFAULT"
Fri Nov 13 09:19:59 2009 : Info: ++[suffix] returns updated
Fri Nov 13 09:19:59 2009 : Info: +- entering group accounting {...}
Fri Nov 13 09:19:59 2009 : Info: ++[ok] returns ok
Fri Nov 13 09:19:59 2009 : Info: } # server copy-acct-to-server-B
Fri Nov 13 09:19:59 2009 : Info:   WARNING: Empty section.  Using 
default return values.
Sending Accounting-Request of id 121 to ip_address_of_server_A port 1813 


You can see from the line above that it is sending this request to 
server A as well. This is where Im getting stuck :(

Any pointers, suggestions, examples appreciated as always.

Thanks again,
Patric











Craig Campbell wrote:
> Re:  "Do I need a second site-enable/copy-acct-to-home-server1 file 
> that reads from a different detail file?"
>
> As far as I can tell (and have done) - Yes, you do.
>
> Cheers,
> -craig
>
> ----- Original Message ----- From: "Patric" <patricrt at gmail.com>
> To: "FreeRadius users mailing list" 
> <freeradius-users at lists.freeradius.org>
> Sent: Thursday, November 12, 2009 9:50 AM
> Subject: Proxy to multiple servers in FR 2.1.7
>
>
>> Hi again all :)
>>
>> I am attempting to proxy all accounting packets to 2 servers.
>> In my proxy.conf I am using a default realm.
>>
>> realm DEFAULT {
>>         acct_pool       = my_acct_failover
>>         nostrip
>> }
>>
>> I create a home_server entry for each server, and add them to the 
>> home_server_pool for that realm:
>>
>> home_server copy-acct-to-home-server {
>> }
>>
>> home_server copy-acct-to-home-server2 {
>> }
>>
>> home_server_pool my_acct_failover {
>>         home_server = copy-acct-to-home-server
>>         home_server = copy-acct-to-home-server2
>> }
>>
>> If I have site-enable/copy-acct-to-home-server it then appears to 
>> work in a fail-over method, where it will send to the first server 
>> until it is not reachable, then it sends to the second server.
>>
>> Is there a way I can configure this to send to both at once? Do I 
>> need a second site-enable/copy-acct-to-home-server1 file that reads 
>> from a different detail file?
>>
>> I am using the default realm so I dont know how to setup a second 
>> home_server_pool either...
>>
>> Any help is much appreciated, Im going in circles :)
>> Many thanks
>> Patric
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
>> __________ Information from ESET Smart Security, version of virus 
>> signature database 4600 (20091112) __________
>>
>> The message was checked by ESET Smart Security.
>>
>> http://www.eset.com
>>
>>
>>
>
>
> __________ Information from ESET Smart Security, version of virus 
> signature database 4600 (20091112) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>



More information about the Freeradius-Users mailing list