Freeraadius stale sessions (no SQL scenario)

Roman romeo.r at gmail.com
Fri Nov 4 08:33:42 CET 2016 

2016-11-03 17:31 GMT+02:00 Alan DeKok <aland at deployingradius.com>:

>
> > On Nov 3, 2016, at 7:18 AM, Roman <romeo.r at gmail.com> wrote:
> > Sometimes I do some networking downtimes and during these periods I'm
> > getting pretty much stale sessions in radwho output. I understand why it
> > happens, but all I want to do is to clear them automatically, when user
> > logs in.
> >
> > So what I've done is added this line:
> >
> >   *exec("/usr/bin/radzap", "-u", $ARGV[3], "127.0.0.1", "secret");*
> >
> > to this part of checkrad code for mikrotik sub.
>
>   Please don't do that.  It's not necessary.


>   The purpose of checkrad is to tell the server if the session is still
> up.  If it isn't the server will automatically create a "zap" packet, and
> remove the session.
>

Thanks for an answer. But it seems like it is not. If I stop freeradius and
disconnect the user from NAS/PPPoE server manually, start the freeradius
server and user connects, Freeradius just freezes and there are some logs
like these:

Fri Nov  4 09:22:22 2016 : Error: (0) Ignoring duplicate packet from client
cli-ter1-lo0 port 52896 - ID: 181 due to unfinished request in component
session module radutmp
Fri Nov  4 09:22:30 2016 : Error: (0) Ignoring duplicate packet from client
cli-ter1-lo0 port 52896 - ID: 181 due to unfinished request in component
session module radutmp
Fri Nov  4 09:22:37 2016 : Error: (1) Ignoring duplicate packet from client
cli-ter1-lo0 port 33336 - ID: 182 due to unfinished request in component
session module radutmp
Fri Nov  4 09:22:45 2016 : Error: (1) Ignoring duplicate packet from client
cli-ter1-lo0 port 33336 - ID: 182 due to unfinished request in component
session module radutmp
Fri Nov  4 09:22:47 2016 : Error: Unresponsive child for request 0, in
component session module radutmp

If I run it in debug mode, these are the last lines:

Ready to process requests
(0) Received Access-Request Id 192 from IP:44964 to IP:1812 length 150
(0)   Service-Type = Framed-User
(0)   Framed-Protocol = PPP
(0)   NAS-Port = 15729029
(0)   NAS-Port-Type = Ethernet
(0)   User-Name = "tt23kswp17"
(0)   Calling-Station-Id = "00:A0:C5:3F:13:2D"
(0)   Called-Station-Id = "cli-ter1"
(0)   NAS-Port-Id = "Eth7-PPPoE"
(0)   CHAP-Challenge = 0xd2cd740b875babcdc257988ee1c00466
(0)   CHAP-Password = 0x01f43d52627cb7db7466e0a2959d3cfea5
(0)   NAS-Identifier = "cli-ter1"
(0)   NAS-IP-Address = IP
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log:    --> /var/log/freeradius/radacct/IP/auth-detail-20161104
(0) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/IP2/auth-detail-20161104
(0) auth_log: EXPAND %t
(0) auth_log:    --> Fri Nov  4 09:24:57 2016
(0)     [auth_log] = ok
(0) chap:   &control:Auth-Type := CHAP
(0)     [chap] = ok
(0)     [mschap] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "tt23kswp17", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) files: users: Matched entry tt23kswp17 at line 107
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = CHAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)   Auth-Type CHAP {
(0) chap: Comparing with "known good" Cleartext-Password
(0) chap: CHAP user "tt23kswp17" authenticated successfully
(0)     [chap] = ok
(0)   } # Auth-Type CHAP = ok
(0) # Executing section session from file
/etc/freeradius/sites-enabled/default
(0)   session {
(0) radutmp: EXPAND /var/log/freeradius/radutmp
(0) radutmp:    --> /var/log/freeradius/radutmp
(0) radutmp: EXPAND %{User-Name}
(0) radutmp:    --> tt23kswp17
(0) # Executing section preacct from file
/etc/freeradius/sites-enabled/default
(0)   preacct {
(0)     [preprocess] = ok
(0)     policy acct_unique {
(0)       if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(0)       EXPAND %{string:Class}
(0)          -->
(0)       if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i)  -> FALSE
(0)       else {
(0)         update request {
(0)           EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(0)              --> 97445737b73ef01afe83c8b742ef8bdb
(0)           &Acct-Unique-Session-Id := 97445737b73ef01afe83c8b742ef8bdb
(0)         } # update request = noop
(0)       } # else = noop
(0)     } # policy acct_unique = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "tt23kswp17", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0)     [files] = noop
(0)   } # preacct = ok
(0) # Executing section accounting from file
/etc/freeradius/sites-enabled/default
(0)   accounting {
(0) detail: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(0) detail:    --> /var/log/freeradius/radacct/IP/detail-20161104
(0) detail:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/freeradius/radacct/IP/detail-20161104
(0) detail: EXPAND %t
(0) detail:    --> Fri Nov  4 09:24:57 2016
(0)     [detail] = ok
(0)     [unix] = ok

and the mikrotik_snmp sub part is here:

sub mikrotik_snmp {

  # Set SNMP version
  # MikroTik only supports version 1
  $snmp_version = "1";

  # Look up community string in naspasswd file.
  ($login, $password) = naspasswd($ARGV[1], 1);
  if ($login && $login ne 'SNMP') {
    if($debug) {
      print LOG "Error: Need SNMP community string for $ARGV[1]\n";
    }
    return 2;
  } else {
  # If password is defined in naspasswd file, use it as community,
  # otherwise use $cmmty_string
    if ($password eq '') {
      $password = "$cmmty_string";
    }
  }

  # We want interface descriptions
  $oid = "ifDescr";

  # Mikrotik doesnt give port IDs correctly to RADIUS :(
  # practically this would limit us to a simple only-one user limit for
  # this script to work properly.
  @output = snmpwalk_prog($ARGV[1], $password, "$oid");

  foreach $line ( @output ) {
    #remove newline
    chomp $line;
    #remove trailing whitespace
    ($line = $line) =~ s/\s+$//;
    if( $line =~ /<.*-$ARGV[3]>/ ) {
      $username_seen++;
    }
  }
   #lets return something
  if ($username_seen > 0) {
    return 1;
  } else {
    return 0;
  }
}


Version:
radiusd: FreeRADIUS Version 3.0.11, for host x86_64-pc-linux-gnu, built on
Jul 13 2016 at 02:30:07


-- 
Best regards,
Roman.

More information about the Freeradius-Users mailing list