Reals Based Upon Port

Brian Carpio bcarpio at broadhop.com
Fri Dec 17 20:03:11 CET 2010 

Thanks for your help Alan, but I think I am not giving you the right information.. (that or I don't understand the README)

So we are using freeradius for proxying requests to different backend servers only (basically using freeradius as a load balancer), we aren't using it to actually authenticate users at all, when we simply wanted to listen on 1812 and 1813 and proxy to multiple home_servers on 1812 and 1813 everything works fine

---- initial simple radiusd.conf --------

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib64/freeradius
pidfile = ${run_dir}/${name}.pid
user = radiusd
group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 1024

listen {
        type = auth
        ipaddr = *
        port = 0
}
listen {
        ipaddr = *
        port = 0
        type = acct
}


hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log {
        destination = files
        file = ${logdir}/radius.log
        syslog_facility = daemon
        stripped_names = no
        auth = no
        auth_badpass = no
        auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
}
proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}
modules {
        $INCLUDE ${confdir}/modules/
        $INCLUDE eap.conf
}
instantiate {
        exec
        expr
        expiration
        logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/

----- end radiusd.conf ------------------

---- start simply proxy.conf ----

proxy server {
        default_fallback = no
}
home_server server01 {
        type = auth+acct
        ipaddr = server01
        port = 1812,1813
        virtual_server = default
        secret = s3cret
        require_message_authenticator = no
        response_window = 20
        zombie_period = 10
        status_check = request
        username = DEADBEEF at broadhop.com
        password = s3cret
        check_interval = 5
        num_answers_to_alive = 3
}
home_server server02 {
        type = auth+acct
        ipaddr = server02 
        port = 1812,1813
        virtual_server = default
        secret = s3cret
        require_message_authenticator = no
        response_window = 20
        zombie_period = 10
        status_check = request
        username = DEADBEEF at broadhop.com
        password = s3cret
        check_interval = 5
        num_answers_to_alive = 3
}
home_server_pool server-balance {
        type = load-balance
        home_server = server01
        home_server = server02
}
realm DEFAULT {
        pool = qns-balance
        nostrip
}

----- end proxy.conf ----------



So then I tried to edit the radiusd.conf with virtual servers and that broke our basic setup;

---- start new radiusd.conf with virtual servers --- 

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib64/freeradius
pidfile = ${run_dir}/${name}.pid
user = radiusd
group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 1024

server default {
listen {
        type = auth
        ipaddr = *
        port = 0
}
listen {
        ipaddr = *
        port = 0
        type = acct
}
proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
}

server alt {
listen {
        type = auth
        ipaddr = *
        port = 1815
}
listen {
        ipaddr = *
        port = 1816
        type = acct
}
proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
}

hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log {
        destination = files
        file = ${logdir}/radius.log
        syslog_facility = daemon
        stripped_names = no
        auth = no
        auth_badpass = no
        auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
}
proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}
modules {
        $INCLUDE ${confdir}/modules/
        $INCLUDE eap.conf
}
instantiate {
        exec
        expr
        expiration
        logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/

---- end radiusd.conf -----

What would happen is that the radiusd requests wheren't being proxies any more, freeradius was trying to authenticate the user

--- output from radiusd -X ----

rad_recv: Access-Request packet from host 192.168.180.110 port 58754, id=13, length=112
        User-Name = "tuser10104"
        User-Password = "password"
        Calling-Station-Id = "00-90-4b-13-a3-8a"
        Acct-Session-Id = "1000"
        Framed-IP-Address = 70.3.0.99
        Cisco-Service-Info = "Time 0, Content 0"
        NAS-IP-Address = 192.168.181.29
server default {
  WARNING: Empty section.  Using default return values.
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
} # server default
Using Post-Auth-Type Reject
  WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform requested action.
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 13 to 192.168.180.110 port 58754
Waking up in 4.9 seconds.
Cleaning up request 0 ID 13 with timestamp +20
Ready to process requests.


---- end output -----


I even tried to add virtual_server = default to the proxy.conf but that didn't seem to work either... Sorry I am probably making this more difficult then it needs to be, but again I simply want to use freeradius as a load balancer / proxy server. 

Thanks,
Brian Carpio




-----Original Message-----
From: freeradius-users-bounces+bcarpio=broadhop.com at lists.freeradius.org [mailto:freeradius-users-bounces+bcarpio=broadhop.com at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Friday, December 17, 2010 9:31 AM
To: FreeRadius users mailing list
Subject: Re: Reals Based Upon Port

Brian Carpio wrote:
> Thanks for the reply, here is what I am trying to do
> 
> 
> External Servers Send Requests To - 1812,1813 --- FreeRadiusd -- 
> Backend_Servers_Set01 (1812,1813) External Servers Send Requests To - 
> 1815,1816 -- FreeRadiusd -- Backend_Servers_Set02 (1815,1816)
> 
> I guess I am not sure where the listen section goes?

  radiusd.conf.    Or, read raddb/sites-available/README

> Maybe I removed it from my proxy.conf file? 

  No.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list