Proxy to multiple servers in FR 2.1.7
Patric
patricrt at gmail.com
Fri Nov 13 09:26:10 CET 2009
Hi Craig,
Thanks for you response. I have tried to implement this but Im going
wrong somewhere. Below I will show my configuration, then the debug that
shows what the server is doing.
First my 2 detail files.
modules/detail:
---------------
detail detail-radrelay {
detailfile = ${radacctdir}/detail-combined
detailperm = 0600
dirperm = 0755
locking = yes
}
detail detail-radrelay2 {
detailfile = ${radacctdir}/detail-combined2
detailperm = 0600
dirperm = 0755
locking = yes
}
Then in my accounting section I write incoming packets to both detail files.
sites-enable/default:
accounting {
detail-radrelay
detail-radrelay2
}
The above then writes any incoming packets to 2 files "detail-combined"
and "detail-combined2". Cool, so now I need to process one and send it
to server A and process the other and send it to server B.
I already have the following which processes detail-combined and sends
to server A (for all realms).
proxy.conf:
-----------
home_server copy-acct-to-home-server {
type = acct
ipaddr = server.A.ip
port = 1813
secret = server_A_secret
}
home_server_pool my_acct_failover {
home_server = copy-acct-to-home-server
}
realm DEFAULT {
acct_pool = my_acct_failover
nostrip
}
sites-enabled/copy-acct-to-home-server:
---------------------------------------
server copy-acct-to-home-server {
listen {
type = detail
filename = ${radacctdir}/detail-combined
}
accounting {
ok
}
}
So now there is already a home_server_pool assigned to the default
realm, but I continue and create a home_server entry for server B
proxy.conf (now including home_server entry for server B):
----------------------------------------------------------
home_server copy-acct-to-home-server {
type = acct
ipaddr = server.A.ip
port = 1813
secret = server_A_secret
}
home_server copy-acct-to-server-B {
type = acct
ipaddr = server.B.ip
port = 1813
secret = server_B_secret
}
home_server_pool my_acct_failover {
home_server = copy-acct-to-home-server
}
realm DEFAULT {
acct_pool = my_acct_failover
nostrip
}
And corresponding sites-enabled files.
sites-enabled/copy-acct-to-home-server:
---------------------------------------
server copy-acct-to-home-server {
listen {
type = detail
filename = ${radacctdir}/detail-combined
}
accounting {
ok
}
}
sites-enabled/copy-acct-to-server-B:
---------------------------------------
server copy-acct-to-home-server {
listen {
type = detail
filename = ${radacctdir}/detail-combined2
}
accounting {
ok
}
}
Now I fire up radiusd in debug mode and send a test packet to the server
to see what it does. As the debug shows, it gets the packet, writes it
to the detail-combined2. Then the listener copy-acct-to-server-B picks
up the detail-combined2 and processes it, but instead of sending to
server B its sending to server A
Fri Nov 13 09:19:57 2009 : Debug: Module: Instantiating detail-radrelay2
Fri Nov 13 09:19:57 2009 : Debug: detail detail-radrelay2 {
Fri Nov 13 09:19:57 2009 : Debug: detailfile =
"/var/log/radius/radacct/detail-combined2"
Fri Nov 13 09:19:57 2009 : Debug: header = "%t"
Fri Nov 13 09:19:57 2009 : Debug: detailperm = 384
Fri Nov 13 09:19:57 2009 : Debug: dirperm = 493
Fri Nov 13 09:19:57 2009 : Debug: locking = yes
Fri Nov 13 09:19:57 2009 : Debug: log_packet_header = no
Fri Nov 13 09:19:57 2009 : Debug: }
Fri Nov 13 09:19:57 2009 : Debug: Module: Instantiating detail-radrelay
Fri Nov 13 09:19:57 2009 : Debug: detail detail-radrelay {
Fri Nov 13 09:19:57 2009 : Debug: detailfile =
"/var/log/radius/radacct/detail-combined"
Fri Nov 13 09:19:57 2009 : Debug: header = "%t"
Fri Nov 13 09:19:57 2009 : Debug: detailperm = 384
Fri Nov 13 09:19:57 2009 : Debug: dirperm = 493
Fri Nov 13 09:19:57 2009 : Debug: locking = yes
Fri Nov 13 09:19:57 2009 : Debug: log_packet_header = no
Fri Nov 13 09:19:57 2009 : Debug: }
Fri Nov 13 09:19:57 2009 : Debug: including configuration file
/etc/raddb/sites-enabled/copy-acct-to-radius01
Fri Nov 13 09:19:57 2009 : Debug: including configuration file
/etc/raddb/sites-enabled/copy-acct-to-home-server
Fri Nov 13 09:19:57 2009 : Debug: server copy-acct-to-radius01 {
Fri Nov 13 09:19:57 2009 : Debug: modules {
Fri Nov 13 09:19:57 2009 : Debug: Module: Checking preacct {...} for
more modules to load
Fri Nov 13 09:19:57 2009 : Debug: (Loaded rlm_realm, checking if
it's valid)
Fri Nov 13 09:19:57 2009 : Debug: Module: Linked to module rlm_realm
Fri Nov 13 09:19:57 2009 : Debug: Module: Instantiating suffix
Fri Nov 13 09:19:57 2009 : Debug: realm suffix {
Fri Nov 13 09:19:57 2009 : Debug: format = "suffix"
Fri Nov 13 09:19:57 2009 : Debug: delimiter = "@"
Fri Nov 13 09:19:57 2009 : Debug: ignore_default = no
Fri Nov 13 09:19:57 2009 : Debug: ignore_null = no
Fri Nov 13 09:19:57 2009 : Debug: }
Fri Nov 13 09:19:57 2009 : Debug: Module: Checking accounting {...} for
more modules to load
Fri Nov 13 09:19:57 2009 : Debug: } # modules
Fri Nov 13 09:19:57 2009 : Debug: } # server
Fri Nov 13 09:19:57 2009 : Debug: server copy-acct-to-home-server {
Fri Nov 13 09:19:57 2009 : Debug: modules {
Fri Nov 13 09:19:57 2009 : Debug: Module: Checking preacct {...} for
more modules to load
Fri Nov 13 09:19:57 2009 : Debug: Module: Checking accounting {...} for
more modules to load
Fri Nov 13 09:19:57 2009 : Debug: } # modules
Fri Nov 13 09:19:57 2009 : Debug: } # server
Fri Nov 13 09:19:57 2009 : Debug: Listening on detail file
/var/log/radius/radacct/detail-combined2 as server copy-acct-to-radius01
Fri Nov 13 09:19:57 2009 : Debug: Listening on detail file
/var/log/radius/radacct/detail-combined as server copy-acct-to-home-server
Fri Nov 13 09:19:58 2009 : Debug: Polling for detail file
/var/log/radius/radacct/detail-combined2
Fri Nov 13 09:19:58 2009 : Debug: Polling for detail file
/var/log/radius/radacct/detail-combined
rad_recv: Accounting-Request packet from host xxx.xxx.xxx.xxx port
40660, id=2, length=273
User-Name = "user at realm"
Fri Nov 13 09:19:59 2009 : Info: +- entering group preacct {...}
Fri Nov 13 09:19:59 2009 : Info: ++[preprocess] returns ok
Fri Nov 13 09:19:59 2009 : Info: +- entering group accounting {...}
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay] expand:
/var/log/radius/radacct/detail-combined ->
/var/log/radius/radacct/detail-combined
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay]
/var/log/radius/radacct/detail-combined expands to
/var/log/radius/radacct/detail-combined
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay] Acquired filelock,
tried 1 time(s)
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay] expand: %t -> Fri
Nov 13 09:19:59 2009
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay] Released filelock
Fri Nov 13 09:19:59 2009 : Info: ++[detail-radrelay] returns ok
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay2] expand:
/var/log/radius/radacct/detail-combined2 ->
/var/log/radius/radacct/detail-combined2
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay2]
/var/log/radius/radacct/detail-combined2 expands to
/var/log/radius/radacct/detail-combined2
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay2] Acquired filelock,
tried 1 time(s)
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay2] expand: %t ->
Fri Nov 13 09:19:59 2009
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay2] Released filelock
Fri Nov 13 09:19:59 2009 : Info: ++[detail-radrelay2] returns ok
Sending Accounting-Response of id 2 to xxx.xxx.xxx.xxx port 40660
Proxy-State = 0x313433
Fri Nov 13 09:19:59 2009 : Info: Finished request 0.
Fri Nov 13 09:19:59 2009 : Info: Cleaning up request 0 ID 2 with
timestamp +2
Fri Nov 13 09:19:59 2009 : Debug: Going to the next request
So by this point the request has been written to both detail-combined
files, excellent. Now:
Fri Nov 13 09:19:59 2009 : Debug: Waking up in 0.3 seconds.
Fri Nov 13 09:19:59 2009 : Debug: Polling for detail file
/var/log/radius/radacct/detail-combined
Fri Nov 13 09:19:59 2009 : Debug: detail_recv: Renaming
/var/log/radius/radacct/detail-combined ->
/var/log/radius/radacct/detail-combined.work
detail_recv: Read packet from /var/log/radius/radacct/detail-combined.work
User-Name = "user at realm"
Fri Nov 13 09:19:59 2009 : Info: server copy-acct-to-server-A {
Fri Nov 13 09:19:59 2009 : Info: +- entering group preacct {...}
Fri Nov 13 09:19:59 2009 : Info: [suffix] Looking up realm "realm" for
User-Name = "user at realm"
Fri Nov 13 09:19:59 2009 : Info: [suffix] Found realm "DEFAULT"
Fri Nov 13 09:19:59 2009 : Info: [suffix] Adding Realm = "DEFAULT"
Fri Nov 13 09:19:59 2009 : Info: [suffix] Proxying request from user
user to realm DEFAULT
Fri Nov 13 09:19:59 2009 : Info: [suffix] Preparing to proxy accounting
request to realm "DEFAULT"
Fri Nov 13 09:19:59 2009 : Info: ++[suffix] returns updated
Fri Nov 13 09:19:59 2009 : Info: +- entering group accounting {...}
Fri Nov 13 09:19:59 2009 : Info: ++[ok] returns ok
Fri Nov 13 09:19:59 2009 : Info: } # server copy-acct-to-server-A
Fri Nov 13 09:19:59 2009 : Info: WARNING: Empty section. Using
default return values.
Sending Accounting-Request of id 121 to ip_address_of_server_A port 1813
User-Name = "user at realm"
Fri Nov 13 09:19:59 2009 : Info: Proxying request 2 to home server
server_ip_A port 1813
Sending Accounting-Request of id 121 to ip_address_of_server_A port 1813
User-Name = "user at realm"
rad_recv: Accounting-Response packet from host ip_address_of_server_A
port 1813, id=121, length=32
Proxy-State = 0x313438
Proxy-State = 0x3137383533
Ok so sending to server A worked correctly. Now:
Fri Nov 13 09:19:59 2009 : Debug: Waking up in 0.3 seconds.
Fri Nov 13 09:19:59 2009 : Debug: Polling for detail file
/var/log/radius/radacct/detail-combined2
Fri Nov 13 09:19:59 2009 : Debug: detail_recv: Renaming
/var/log/radius/radacct/detail-combined2 ->
/var/log/radius/radacct/detail-combined2.work
detail_recv: Read packet from /var/log/radius/radacct/detail-combined2.work
User-Name = "user at realm"
Fri Nov 13 09:19:59 2009 : Info: server copy-acct-to-server-B {
Fri Nov 13 09:19:59 2009 : Info: +- entering group preacct {...}
Fri Nov 13 09:19:59 2009 : Info: [suffix] Looking up realm "realm" for
User-Name = "user at realm"
Fri Nov 13 09:19:59 2009 : Info: [suffix] Found realm "DEFAULT"
Fri Nov 13 09:19:59 2009 : Info: [suffix] Adding Realm = "DEFAULT"
Fri Nov 13 09:19:59 2009 : Info: [suffix] Proxying request from user
user to realm DEFAULT
Fri Nov 13 09:19:59 2009 : Info: [suffix] Preparing to proxy accounting
request to realm "DEFAULT"
Fri Nov 13 09:19:59 2009 : Info: ++[suffix] returns updated
Fri Nov 13 09:19:59 2009 : Info: +- entering group accounting {...}
Fri Nov 13 09:19:59 2009 : Info: ++[ok] returns ok
Fri Nov 13 09:19:59 2009 : Info: } # server copy-acct-to-server-B
Fri Nov 13 09:19:59 2009 : Info: WARNING: Empty section. Using
default return values.
Sending Accounting-Request of id 121 to ip_address_of_server_A port 1813
You can see from the line above that it is sending this request to
server A as well. This is where Im getting stuck :(
Any pointers, suggestions, examples appreciated as always.
Thanks again,
Patric
Craig Campbell wrote:
> Re: "Do I need a second site-enable/copy-acct-to-home-server1 file
> that reads from a different detail file?"
>
> As far as I can tell (and have done) - Yes, you do.
>
> Cheers,
> -craig
>
> ----- Original Message ----- From: "Patric" <patricrt at gmail.com>
> To: "FreeRadius users mailing list"
> <freeradius-users at lists.freeradius.org>
> Sent: Thursday, November 12, 2009 9:50 AM
> Subject: Proxy to multiple servers in FR 2.1.7
>
>
>> Hi again all :)
>>
>> I am attempting to proxy all accounting packets to 2 servers.
>> In my proxy.conf I am using a default realm.
>>
>> realm DEFAULT {
>> acct_pool = my_acct_failover
>> nostrip
>> }
>>
>> I create a home_server entry for each server, and add them to the
>> home_server_pool for that realm:
>>
>> home_server copy-acct-to-home-server {
>> }
>>
>> home_server copy-acct-to-home-server2 {
>> }
>>
>> home_server_pool my_acct_failover {
>> home_server = copy-acct-to-home-server
>> home_server = copy-acct-to-home-server2
>> }
>>
>> If I have site-enable/copy-acct-to-home-server it then appears to
>> work in a fail-over method, where it will send to the first server
>> until it is not reachable, then it sends to the second server.
>>
>> Is there a way I can configure this to send to both at once? Do I
>> need a second site-enable/copy-acct-to-home-server1 file that reads
>> from a different detail file?
>>
>> I am using the default realm so I dont know how to setup a second
>> home_server_pool either...
>>
>> Any help is much appreciated, Im going in circles :)
>> Many thanks
>> Patric
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>> __________ Information from ESET Smart Security, version of virus
>> signature database 4600 (20091112) __________
>>
>> The message was checked by ESET Smart Security.
>>
>> http://www.eset.com
>>
>>
>>
>
>
> __________ Information from ESET Smart Security, version of virus
> signature database 4600 (20091112) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list