rlm_perl issue

Dean, Barry B.Dean at liverpool.ac.uk
Thu Aug 22 17:46:25 CEST 2013

An interesting one for the list ...

We are installing a Palo Alto firewall and it has a way to pass Username/IP mappings from FreeRADIUS to a Windows "User ID Agent", which is then queried by the firewall.

The method employed is to use a Perl module (PAN::API), which has a simple API, basically:

$var = PAN::API::UID-new( "ip of server" );
$var->add( "type <login/logout>", username, Framed-IP-Address );

which is added in the "sub preacct ()" of the perl module...

then call this in preacct {}

There are a couple of issues with this module that I am going to try and address:

1) Connections
	"new" only instantiates an empty object
	"add" adds the values to a hash
	"submit" opens an TCP SSL connection, sends the hash as XML, then closes the connection.
With all the work being done in "submit" you have to create and tear down an SSL TCP connection for EVERY accounting record! Which is a lot at my site!

2) Errors
	If the socket set-up fails, the PAN::API module calls croak(), which on my system terminated FreeRADIUS, which seems like what would happen?

	Thu Aug 22 13:53:03 2013 : Error: rlm_perl: perl_embed:: module = /etc/raddb/perl.pl , func = preacct exit status= Unable to connect socket.  at /etc/raddb/perl.pl line 474

	Socket setup failed I am guessing because of all the open/close socket activity? Looks like the Windows 2008R2 server either blocked this as a suspected DOS or the agent failed to cope with this kind of TCP activity?

Obviously for problem 1, a better model would be to implement new methods on the object to open and close the SSL connection, then use a pattern like:

	{ # Static block start
		my $object = PAN::API::UID->new( "<IP>" );

		sub preacct {
			$object->add( <params> );

closing the SSL would not be needed in effect as we run "forever", and I wouldn't know where to place it as there is no function called on an rlm_perl module when FreeRADIUS is about to terminate, unless I am missing something.

For problem 2, are there rules about what you should not do in an rlm_perl module? I would have thought exit(), die(), croak() etc are all bad and that returning quietly, optionally setting an error code, would be better? Then back in "sub preacct ()" you could check the error and log with &radiusd::radlog() and do a "return RLM_MODULE_NOOP"?

Would you expect FreeRADIUS to terminate if an rlm_perl module called croak()?

Anyone want to throw in 2 cents/pennies worth to this?

Thanks in advance, as always, for your time ...

Barry Dean
Principal Programmer/Analyst
Networks Team
Computing Service Department

More information about the Freeradius-Users mailing list