Redundant Freeradius
Rhommel Lamas
roml at rhommell.com
Tue Oct 26 15:01:14 CEST 2010
I am having problemas deploying a redundant freeradius with mysql
Here my sql.conf
# -*- text -*-
##
## sql.conf -- SQL modules
##
## $Id$
######################################################################
#
# Configuration for the SQL module
#
# The database schemas and queries are located in subdirectories:
#
# sql/DB/schema.sql Schema
# sql/DB/dialup.conf Basic dialup (including policy) queries
# sql/DB/counter.conf counter
# sql/DB/ippool.conf IP Pools in SQL
# sql/DB/ippool.sql schema for IP pools.
#
# Where "DB" is mysql, mssql, oracle, or postgresql.
#
sql sql1{
#
# Set the database to one of:
#
# mysql, mssql, oracle, postgresql
#
database = "mysql"
#
# Which FreeRADIUS driver to use.
#
driver = "rlm_sql_${database}"
# Connection info:
server = "xxx.xxx.xxx.xxx"
#port = 3306
login = "radius"
password = "radius"
# Database table configuration for everything except Oracle
radius_db = "radiusprod"
# If you are using Oracle then use this instead
# radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))"
# If you want both stop and start records logged to the
# same SQL table, leave this as is. If you want them in
# different tables, put the start table in acct_table1
# and stop table in acct_table2
acct_table1 = "radacct"
acct_table2 = "radacct"
# Allow for storing data after authentication
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
# Table to keep group info
usergroup_table = "usergroup"
# If set to 'yes' (default) we read the group tables
# If set to 'no' the user MUST have Fall-Through = Yes in the radreply table
# read_groups = yes
# Remove stale session if checkrad does not see a double login
deletestalesessions = yes
# Print all SQL statements when in debug mode (-x)
######### ROML PONER SQLTRACE NO!#############
sqltrace = no
##############################################
sqltracefile = ${logdir}/sqltrace.sql
# number of sql connections to make to server
num_sql_socks = 8
#num_sql_socks = 40
# number of seconds to dely retrying on a failed database
# connection (per_socket)
connect_failure_retry_delay = 60
# lifetime of an SQL socket. If you are having network issues
# such as TCP sessions expiring, you may need to set the socket
# lifetime. If set to non-zero, any open connections will be
# closed "lifetime" seconds after they were first opened.
lifetime = 0
# Maximum number of queries used by an SQL socket. If you are
# having issues with SQL sockets lasting "too long", you can
# limit the number of queries performed over one socket. After
# "max_qeuries", the socket will be closed. Use 0 for "no limit".
max_queries = 0
# Set to 'yes' to read radius clients from the database ('nas' table)
# Clients will ONLY be read on server startup. For performance
# and security reasons, finding clients via SQL queries CANNOT
# be done "live" while the server is running.
#
readclients = yes
# Table to keep radius client info
nas_table = "nas"
# Read driver-specific configuration
$INCLUDE sql/${database}/dialup.conf
}
sql sql2{
#
# Set the database to one of:
#
# mysql, mssql, oracle, postgresql
#
database = "mysql"
#
# Which FreeRADIUS driver to use.
#
driver = "rlm_sql_${database}"
# Connection info:
server = "127.0.0.1"
#port = 3306
login = "radius"
password = "radius"
# Database table configuration for everything except Oracle
radius_db = "radiusprod"
# If you are using Oracle then use this instead
# radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))"
# If you want both stop and start records logged to the
# same SQL table, leave this as is. If you want them in
# different tables, put the start table in acct_table1
# and stop table in acct_table2
acct_table1 = "radacct"
acct_table2 = "radacct"
# Allow for storing data after authentication
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
# Table to keep group info
usergroup_table = "usergroup"
# If set to 'yes' (default) we read the group tables
# If set to 'no' the user MUST have Fall-Through = Yes in the radreply table
# read_groups = yes
# Remove stale session if checkrad does not see a double login
deletestalesessions = yes
# Print all SQL statements when in debug mode (-x)
######### ROML PONER SQLTRACE NO!#############
sqltrace = no
##############################################
sqltracefile = ${logdir}/sqltrace.sql
# number of sql connections to make to server
num_sql_socks = 8
#num_sql_socks = 40
# number of seconds to dely retrying on a failed database
# connection (per_socket)
connect_failure_retry_delay = 60
# lifetime of an SQL socket. If you are having network issues
# such as TCP sessions expiring, you may need to set the socket
# lifetime. If set to non-zero, any open connections will be
# closed "lifetime" seconds after they were first opened.
lifetime = 0
# Maximum number of queries used by an SQL socket. If you are
# having issues with SQL sockets lasting "too long", you can
# limit the number of queries performed over one socket. After
# "max_qeuries", the socket will be closed. Use 0 for "no limit".
max_queries = 0
# Set to 'yes' to read radius clients from the database ('nas' table)
# Clients will ONLY be read on server startup. For performance
# and security reasons, finding clients via SQL queries CANNOT
# be done "live" while the server is running.
#
readclients = yes
# Table to keep radius client info
nas_table = "nas"
# Read driver-specific configuration
$INCLUDE sql/${database}/dialup.conf
}
radius.conf
instantiate {
#
# Allows the execution of external scripts.
# The entire command line (and output) must fit into 253 bytes.
#
# e.g. Framed-Pool = `%{exec:/bin/echo foo}`
exec
#
# The expression module doesn't do authorization,
# authentication, or accounting. It only does dynamic
# translation, of the form:
#
# Session-Timeout = `%{expr:2 + 3}`
#
# So the module needs to be instantiated, but CANNOT be
# listed in any other section. See 'doc/rlm_expr' for
# more information.
#
expr
#
# We add the counter module here so that it registers
# the check-name attribute before any module which sets
# it
# daily
expiration
logintime
# subsections here can be thought of as "virtual" modules.
#
# e.g. If you have two redundant SQL servers, and you want to
# use them in the authorize and accounting sections, you could
# place a "redundant" block in each section, containing the
# exact same text. Or, you could uncomment the following
# lines, and list "redundant_sql" in the authorize and
# accounting sections.
#
#redundant redundant_sql {
# sql1
# sql2
#}
redundant redundant_sql {
sql1
sql2
handled
}
redundant redundant_sqlip {
sqlippool1
sqlippool2
handled
}
}
sqlippool.conf
## Configuration for the SQL based IP Pool module (rlm_sqlippool)
##
## The database schemas are available at:
##
## raddb/sql/DB/ippool.sql
##
## $Id$
sqlippool sqlippool1 {
#########################################
## SQL instance to use (from sql.conf) ##
##
## If you have multiple sql instances, such as "sql sql1 {...}",
## use the *instance* name here: sql1.
#########################################
sql-instance-name = "sql1"
## SQL table to use for ippool range and lease info
ippool_table = "radippool"
## IP lease duration. (Leases expire even if Acct Stop packet is lost)
lease-duration = 3600
## Attribute which should be considered unique per NAS
## Using NAS-Port gives behaviour similar to rlm_ippool. (And ACS)
## Using Calling-Station-Id works for NAS that send fixed NAS-Port
## ONLY change this if you know what you are doing!
pool-key = "%{NAS-Port}"
# pool-key = "%{Calling-Station-Id}"
################################################################
#
# WARNING: MySQL has certain limitations that means it can
# hand out the same IP address to 2 different users.
#
# We suggest using an SQL DB with proper transaction
# support, such as PostgreSQL, or using MySQL
# with InnoDB.
#
################################################################
#
# Use the same database as configured in the "sql" module, "database"
# configuration item. Change the "postgresql" name below to be the
# same as the "database" field of the SQL module referred to in the
# "sql-instance-name", above.
#
$INCLUDE sql/mysql/ippool.conf
## Logging configuration. (Comment out to disable logging)
sqlippool_log_exists = "Existing IP: %{reply:Framed-IP-Address} \
(did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
sqlippool_log_success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} \
(did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
sqlippool_log_clear = "Released IP %{Framed-IP-Address}\
(did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
sqlippool_log_failed = "IP Allocation FAILED from %{control:Pool-Name} \
(did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
sqlippool_log_nopool = "No Pool-Name defined \
(did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}
sqlippool sqlippool2 {
#########################################
## SQL instance to use (from sql.conf) ##
##
## If you have multiple sql instances, such as "sql sql1 {...}",
## use the *instance* name here: sql1.
#########################################
sql-instance-name = "sql2"
## SQL table to use for ippool range and lease info
ippool_table = "radippool"
## IP lease duration. (Leases expire even if Acct Stop packet is lost)
lease-duration = 3600
## Attribute which should be considered unique per NAS
## Using NAS-Port gives behaviour similar to rlm_ippool. (And ACS)
## Using Calling-Station-Id works for NAS that send fixed NAS-Port
## ONLY change this if you know what you are doing!
pool-key = "%{NAS-Port}"
# pool-key = "%{Calling-Station-Id}"
################################################################
#
# WARNING: MySQL has certain limitations that means it can
# hand out the same IP address to 2 different users.
#
# We suggest using an SQL DB with proper transaction
# support, such as PostgreSQL, or using MySQL
# with InnoDB.
#
################################################################
#
# Use the same database as configured in the "sql" module, "database"
# configuration item. Change the "postgresql" name below to be the
# same as the "database" field of the SQL module referred to in the
# "sql-instance-name", above.
#
$INCLUDE sql/mysql/ippool.conf
## Logging configuration. (Comment out to disable logging)
sqlippool_log_exists = "Existing IP: %{reply:Framed-IP-Address} \
(did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
sqlippool_log_success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} \
(did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
sqlippool_log_clear = "Released IP %{Framed-IP-Address}\
(did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
sqlippool_log_failed = "IP Allocation FAILED from %{control:Pool-Name} \
(did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
sqlippool_log_nopool = "No Pool-Name defined \
(did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}
sites-enable/default
authorize {
preprocess
chap
mschap
suffix
eap {
ok = return
}
redundant_sql
detail
pap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
detail {
fail = 1
}
redundant_sql
radutmp
redundant_sqlip
}
session {
radutmp
detail {
fail = 1
}
redundant_sql
}
post-auth {
detail {
fail = 1
}
redundant_sqlip
redundant_sql
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
The result after a radiusd -X is
/etc/raddb/sql.conf[116]: Instantiation failed for module "sql2"
/etc/raddb/radiusd.conf[771]: Failed to find module "sql2".
/etc/raddb/radiusd.conf[771]: Failed to parse "sql2" entry.
/etc/raddb/sites-enabled/default[1]: Errors parsing authorize section.
More information about the Freeradius-Users
mailing list