Log when the proxy home_server has no response
Chuang Okis
okischuang at outlook.com
Thu Feb 13 04:17:57 CET 2014
Hi Alan,
Thanks for your response!
Does that work on 2.2.0 ? Or maybe it works only on 3.x?Because I did a simple test yesterday but it seems not working on 2.2.0 :(I made a simple test, please refer log below:
First, I set up a server 1 as a proxy server. It will proxy the request to server 2.
Server 1 debug log:----rad_recv: Access-Request packet from host 172.30.179.22 port 35802, id=221, length=79 User-Name = "test at test" User-Password = "123" NAS-IP-Address = 172.30.179.22 NAS-Port = 0 Message-Authenticator = 0x82e274124fd26a6a5c9e2c8105d8f209# Executing section authorize from file /opt/freeRADIUS/etc/raddb/sites-enabled/default+- entering group authorize {...} expand: %{client:Gateway-Type} -> ALU++[control] returns notfoundrlm_perl: RAD_CONFIG: Tmp-String-8 = ALUrlm_perl: Added pair User-Name = test at testrlm_perl: Added pair User-Password = 123rlm_perl: Added pair NAS-Port = 0rlm_perl: Added pair NAS-IP-Address = 172.30.179.22rlm_perl: Added pair Message-Authenticator = 0x82e274124fd26a6a5c9e2c8105d8f209rlm_perl: Added pair Tmp-String-8 = ALU++[test_client_config] returns noop++[preprocess] returns ok[auth_log] expand: %{Packet-Src-IP-Address} -> 172.30.179.22[auth_log] expand: /opt/freeRADIUS/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /opt/freeRADIUS/var/log/radius/radacct/172.30.179.22/auth-detail-20140213[auth_log] /opt/freeRADIUS/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /opt/freeRADIUS/var/log/radius/radacct/172.30.179.22/auth-detail-20140213[auth_log] expand: %t -> Thu Feb 13 09:57:41 2014++[auth_log] returns ok++[chap] returns noop++[mschap] returns noop++[digest] returns noop[suffix] Looking up realm "test" for User-Name = "test at test"[suffix] Found realm "test"[suffix] Adding Realm = "test"[suffix] Proxying request from user test to realm test[suffix] Preparing to proxy authentication request to realm "test" ++[suffix] returns updated[eap] No EAP-Message, not doing EAP++[eap] returns noop++[files] returns noop++[expiration] returns noop++[logintime] returns noop++[pap] returns noop# Executing section pre-proxy from file /opt/freeRADIUS/etc/raddb/sites-enabled/default+- entering group pre-proxy {...}[attr_filter.pre-proxy] expand: %{Realm} -> testattr_filter: Matched entry DEFAULT at line 50++[attr_filter.pre-proxy] returns updatedSending Access-Request of id 165 to 172.30.179.22 port 1812 User-Name = "test at test" User-Password = "123" NAS-IP-Address = 172.30.179.22 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x323231Proxying request 0 to home server 172.30.179.22 port 1812Sending Access-Request of id 165 to 172.30.179.22 port 1812 User-Name = "test at test" User-Password = "123" NAS-IP-Address = 172.30.179.22 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x323231Going to the next requestWaking up in 0.9 seconds.Waking up in 19.0 seconds.rad_recv: Access-Request packet from host 172.30.179.22 port 35802, id=221, length=79Sending duplicate proxied request to home server 172.30.179.22 port 1812 - ID: 165Sending Access-Request of id 165 to 172.30.179.22 port 1812 User-Name = "test at test" User-Password = "123" NAS-IP-Address = 172.30.179.22 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x323231Waking up in 14.9 seconds.rad_recv: Access-Request packet from host 172.30.179.22 port 35802, id=221, length=79Sending duplicate proxied request to home server 172.30.179.22 port 1812 - ID: 165Sending Access-Request of id 165 to 172.30.179.22 port 1812 User-Name = "test at test" User-Password = "123" NAS-IP-Address = 172.30.179.22 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x323231Waking up in 9.9 seconds.Cleaning up request 0 ID 221 with timestamp +26Marking home server 172.30.179.22 port 1812 as zombie (it looks like it is dead).Sending Status-Server of id 205 to 172.30.179.22 port 1812 Message-Authenticator := 0x00000000000000000000000000000000 NAS-Identifier := "Status Check. Are you alive?"Waking up in 3.9 seconds.rad_recv: Access-Accept packet from host 172.30.179.22 port 1812, id=205, length=20Received response to status check 1 (1 in current sequence)Waking up in 30.4 seconds.-----Then Server 2 received request from server 1, I put on the policy of "Do Not Response" here to let it not reply to server 1 as Timeout scenario.
Server 2 debug log:-----rad_recv: Access-Request packet from host 172.30.179.21 port 3102, id=165, length=78 User-Name = "test at test" User-Password = "123" NAS-IP-Address = 172.30.179.22 Message-Authenticator = 0x3f6871b3d1076fa74b7e9bd33421cb40 Proxy-State = 0x323231# Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default+- entering group authorize {...}++- entering policy do_not_respond {...}+++[control] returns notfound+++[handled] returns handled++- policy do_not_respond returns handledNot responding to request 0Finished request 0.Going to the next requestWaking up in 29.9 seconds.rad_recv: Access-Request packet from host 172.30.179.21 port 3102, id=165, length=78Ignoring retransmit from client test-21 port 3102 - ID: 165, no reply was configuredWaking up in 24.9 seconds.rad_recv: Access-Request packet from host 172.30.179.21 port 3102, id=165, length=78Ignoring retransmit from client test-21 port 3102 - ID: 165, no reply was configuredWaking up in 19.9 seconds.rad_recv: Status-Server packet from host 172.30.179.21 port 3102, id=205, length=68 Message-Authenticator = 0x7407443309fd2696fedad4b6c91ee1eb NAS-Identifier = "Status Check. Are you alive?"Sending Access-Accept of id 205 to 172.30.179.21 port 3102Finished request 1.Cleaning up request 1 ID 205 with timestamp +23Going to the next requestWaking up in 9.9 seconds.Cleaning up request 0 ID 165 with timestamp +3Ready to process requests.-----
As you can see, server 1 did not go into post-proxy-type fail section as I expect :(Is there anything I miss or doing wrong? Thanks!
Okis
> Chuang Okis wrote:
> > we have some statistical requirements for eap-sim, I want know if I can
> > identify and log it when we proxy Access-Request/Access-Challenge to
> > external AAA home_server but no response back(timeout)?
>
> Read raddb/sites-available/default. Look for Post-Proxy-Type Fail.>
> Alan DeKok.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140213/d14ebff8/attachment.html>
More information about the Freeradius-Users
mailing list