Redundant Freeradius

Rhommel Lamas roml at rhommell.com
Tue Oct 26 15:01:14 CEST 2010


I am having problemas deploying a redundant freeradius with mysql

Here my sql.conf


# -*- text -*-
##
## sql.conf -- SQL modules
##
##	$Id$

######################################################################
#
#  Configuration for the SQL module
#
#  The database schemas and queries are located in subdirectories:
#
#	sql/DB/schema.sql	Schema
#	sql/DB/dialup.conf	Basic dialup (including policy) queries
#	sql/DB/counter.conf	counter
#	sql/DB/ippool.conf	IP Pools in SQL
#	sql/DB/ippool.sql	schema for IP pools.
#
#  Where "DB" is mysql, mssql, oracle, or postgresql.
#

sql sql1{
	#
	#  Set the database to one of:
	#
	#	mysql, mssql, oracle, postgresql
	#
	database = "mysql"

	#
	#  Which FreeRADIUS driver to use.
	#
	driver = "rlm_sql_${database}"

	# Connection info:
	server = "xxx.xxx.xxx.xxx"
	#port = 3306
	login = "radius"
	password = "radius"

	# Database table configuration for everything except Oracle
	radius_db = "radiusprod"
	# If you are using Oracle then use this instead
        # radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))"

	# If you want both stop and start records logged to the
	# same SQL table, leave this as is.  If you want them in
	# different tables, put the start table in acct_table1
	# and stop table in acct_table2
	acct_table1 = "radacct"
	acct_table2 = "radacct"

	# Allow for storing data after authentication
	postauth_table = "radpostauth"

	authcheck_table = "radcheck"
	authreply_table = "radreply"

	groupcheck_table = "radgroupcheck"
	groupreply_table = "radgroupreply"

	# Table to keep group info
	usergroup_table = "usergroup"

	# If set to 'yes' (default) we read the group tables
	# If set to 'no' the user MUST have Fall-Through = Yes in the radreply table
	# read_groups = yes

	# Remove stale session if checkrad does not see a double login
	deletestalesessions = yes

	# Print all SQL statements when in debug mode (-x)
	
	######### ROML PONER SQLTRACE NO!#############
	sqltrace = no

	##############################################

	sqltracefile = ${logdir}/sqltrace.sql

	# number of sql connections to make to server
	num_sql_socks = 8
	#num_sql_socks = 40
	# number of seconds to dely retrying on a failed database
	# connection (per_socket)
	connect_failure_retry_delay = 60

	# lifetime of an SQL socket.  If you are having network issues
	# such as TCP sessions expiring, you may need to set the socket
	# lifetime.  If set to non-zero, any open connections will be
	# closed "lifetime" seconds after they were first opened.
	lifetime = 0

	# Maximum number of queries used by an SQL socket.  If you are
	# having issues with SQL sockets lasting "too long", you can
	# limit the number of queries performed over one socket.  After
	# "max_qeuries", the socket will be closed.  Use 0 for "no limit".
	max_queries = 0

	# Set to 'yes' to read radius clients from the database ('nas' table)
	# Clients will ONLY be read on server startup.  For performance
	# and security reasons, finding clients via SQL queries CANNOT
	# be done "live" while the server is running.
	# 
	readclients = yes

	# Table to keep radius client info
	nas_table = "nas"

	# Read driver-specific configuration
	$INCLUDE sql/${database}/dialup.conf
}


sql sql2{
	#
	#  Set the database to one of:
	#
	#	mysql, mssql, oracle, postgresql
	#
	database = "mysql"

	#
	#  Which FreeRADIUS driver to use.
	#
	driver = "rlm_sql_${database}"

	# Connection info:
	server = "127.0.0.1"
	#port = 3306
	login = "radius"
	password = "radius"

	# Database table configuration for everything except Oracle
	radius_db = "radiusprod"
	# If you are using Oracle then use this instead
        # radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))"

	# If you want both stop and start records logged to the
	# same SQL table, leave this as is.  If you want them in
	# different tables, put the start table in acct_table1
	# and stop table in acct_table2
	acct_table1 = "radacct"
	acct_table2 = "radacct"

	# Allow for storing data after authentication
	postauth_table = "radpostauth"

	authcheck_table = "radcheck"
	authreply_table = "radreply"

	groupcheck_table = "radgroupcheck"
	groupreply_table = "radgroupreply"

	# Table to keep group info
	usergroup_table = "usergroup"

	# If set to 'yes' (default) we read the group tables
	# If set to 'no' the user MUST have Fall-Through = Yes in the radreply table
	# read_groups = yes

	# Remove stale session if checkrad does not see a double login
	deletestalesessions = yes

	# Print all SQL statements when in debug mode (-x)
	
	######### ROML PONER SQLTRACE NO!#############
	sqltrace = no

	##############################################

	sqltracefile = ${logdir}/sqltrace.sql

	# number of sql connections to make to server
	num_sql_socks = 8
	#num_sql_socks = 40
	# number of seconds to dely retrying on a failed database
	# connection (per_socket)
	connect_failure_retry_delay = 60

	# lifetime of an SQL socket.  If you are having network issues
	# such as TCP sessions expiring, you may need to set the socket
	# lifetime.  If set to non-zero, any open connections will be
	# closed "lifetime" seconds after they were first opened.
	lifetime = 0

	# Maximum number of queries used by an SQL socket.  If you are
	# having issues with SQL sockets lasting "too long", you can
	# limit the number of queries performed over one socket.  After
	# "max_qeuries", the socket will be closed.  Use 0 for "no limit".
	max_queries = 0

	# Set to 'yes' to read radius clients from the database ('nas' table)
	# Clients will ONLY be read on server startup.  For performance
	# and security reasons, finding clients via SQL queries CANNOT
	# be done "live" while the server is running.
	# 
	readclients = yes

	# Table to keep radius client info
	nas_table = "nas"

	# Read driver-specific configuration
	$INCLUDE sql/${database}/dialup.conf
}


radius.conf

instantiate {
	#
	#  Allows the execution of external scripts.
	#  The entire command line (and output) must fit into 253 bytes.
	#
	#  e.g. Framed-Pool = `%{exec:/bin/echo foo}`
	exec

	#
	#  The expression module doesn't do authorization,
	#  authentication, or accounting.  It only does dynamic
	#  translation, of the form:
	#
	#	Session-Timeout = `%{expr:2 + 3}`
	#
	#  So the module needs to be instantiated, but CANNOT be
	#  listed in any other section.  See 'doc/rlm_expr' for
	#  more information.
	#
	expr

	#
	# We add the counter module here so that it registers
	# the check-name attribute before any module which sets
	# it
#	daily
	expiration
	logintime

	# subsections here can be thought of as "virtual" modules.
	#
	# e.g. If you have two redundant SQL servers, and you want to
	# use them in the authorize and accounting sections, you could
	# place a "redundant" block in each section, containing the
	# exact same text.  Or, you could uncomment the following
	# lines, and list "redundant_sql" in the authorize and
	# accounting sections.
	#
	#redundant redundant_sql {
	#	sql1
	#	sql2
	#}
	redundant redundant_sql {
        sql1
	sql2
	handled
        }
        redundant redundant_sqlip {
        sqlippool1
        sqlippool2
        handled
        }
}

sqlippool.conf

##  Configuration for the SQL based IP Pool module (rlm_sqlippool)
##
##  The database schemas are available at:
##
##       raddb/sql/DB/ippool.sql
##
##  $Id$

sqlippool sqlippool1 {

 #########################################
 ## SQL instance to use (from sql.conf) ##
 ##
 ##  If you have multiple sql instances, such as "sql sql1 {...}",
 ##  use the *instance* name here: sql1.
 #########################################
 sql-instance-name = "sql1"

 ## SQL table to use for ippool range and lease info
 ippool_table = "radippool"

 ## IP lease duration. (Leases expire even if Acct Stop packet is lost)
 lease-duration = 3600

 ## Attribute which should be considered unique per NAS
 ## Using NAS-Port gives behaviour similar to rlm_ippool. (And ACS)
 ## Using Calling-Station-Id works for NAS that send fixed NAS-Port
 ## ONLY change this if you know what you are doing!
 pool-key = "%{NAS-Port}"
 # pool-key = "%{Calling-Station-Id}"

 ################################################################
 #
 #  WARNING: MySQL has certain limitations that means it can
 #           hand out the same IP address to 2 different users.
 #
 #           We suggest using an SQL DB with proper transaction
 #           support, such as PostgreSQL, or using MySQL
 #	     with InnoDB.
 #
 ################################################################

 #
 #  Use the same database as configured in the "sql" module, "database"
 #  configuration item.  Change the "postgresql" name below to be the
 #  same as the "database" field of the SQL module referred to in the
 #  "sql-instance-name", above.
 #
$INCLUDE sql/mysql/ippool.conf
 
 ## Logging configuration. (Comment out to disable logging)
 sqlippool_log_exists = "Existing IP: %{reply:Framed-IP-Address} \
  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"

 sqlippool_log_success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} \
  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"

 sqlippool_log_clear = "Released IP %{Framed-IP-Address}\
 (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"

 sqlippool_log_failed = "IP Allocation FAILED from %{control:Pool-Name} \
  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"

 sqlippool_log_nopool = "No Pool-Name defined \
  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"

}

sqlippool sqlippool2 {

 #########################################
 ## SQL instance to use (from sql.conf) ##
 ##
 ##  If you have multiple sql instances, such as "sql sql1 {...}",
 ##  use the *instance* name here: sql1.
 #########################################
 sql-instance-name = "sql2"

 ## SQL table to use for ippool range and lease info
 ippool_table = "radippool"

 ## IP lease duration. (Leases expire even if Acct Stop packet is lost)
 lease-duration = 3600

 ## Attribute which should be considered unique per NAS
 ## Using NAS-Port gives behaviour similar to rlm_ippool. (And ACS)
 ## Using Calling-Station-Id works for NAS that send fixed NAS-Port
 ## ONLY change this if you know what you are doing!
 pool-key = "%{NAS-Port}"
 # pool-key = "%{Calling-Station-Id}"

 ################################################################
 #
 #  WARNING: MySQL has certain limitations that means it can
 #           hand out the same IP address to 2 different users.
 #
 #           We suggest using an SQL DB with proper transaction
 #           support, such as PostgreSQL, or using MySQL
 #	     with InnoDB.
 #
 ################################################################

 #
 #  Use the same database as configured in the "sql" module, "database"
 #  configuration item.  Change the "postgresql" name below to be the
 #  same as the "database" field of the SQL module referred to in the
 #  "sql-instance-name", above.
 #
$INCLUDE sql/mysql/ippool.conf
 
 ## Logging configuration. (Comment out to disable logging)
 sqlippool_log_exists = "Existing IP: %{reply:Framed-IP-Address} \
  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"

 sqlippool_log_success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} \
  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"

 sqlippool_log_clear = "Released IP %{Framed-IP-Address}\
 (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"

 sqlippool_log_failed = "IP Allocation FAILED from %{control:Pool-Name} \
  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"

 sqlippool_log_nopool = "No Pool-Name defined \
  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"

}


sites-enable/default

authorize {
	preprocess
	chap
	mschap
	suffix
	eap {
		ok = return
	}
	redundant_sql
	detail
	pap
	expiration
	logintime
	pap
}

authenticate {
	Auth-Type PAP {
		pap
	}
	Auth-Type CHAP {
		chap
	}
	Auth-Type MS-CHAP {
		mschap
	}
	unix
	eap
}

preacct {
	preprocess
	acct_unique
	suffix
}

accounting {
	detail {
        fail = 1
        }
	redundant_sql
	radutmp
	redundant_sqlip
}


session {
	radutmp
	detail {
        fail = 1
        }
	redundant_sql
}


post-auth {
	detail {
        fail = 1
        }
	redundant_sqlip
	redundant_sql
	exec
	Post-Auth-Type REJECT {
		attr_filter.access_reject
	}
}

pre-proxy {
}

post-proxy {
	eap
}


The result after a radiusd -X is

/etc/raddb/sql.conf[116]: Instantiation failed for module "sql2"
/etc/raddb/radiusd.conf[771]: Failed to find module "sql2".
/etc/raddb/radiusd.conf[771]: Failed to parse "sql2" entry.
/etc/raddb/sites-enabled/default[1]: Errors parsing authorize section. 






More information about the Freeradius-Users mailing list