Proxy FreeRADIUS Monitoring from LB F5

CALMELS, Thierry (SOGETI REGIONS SAS) thierry.calmels.external at airbus.com
Thu Jan 3 15:50:07 CET 2019


Happy new year Alan,

As new resolution, I decided to re-contact you about the same topic^^
Below, the old thread. 

>This is the *first* time you mentioned that there's a "healthcheckVIP" user name.  If you had said that at the START of the conversation, I would have been able to give you better advice.
Not really - this username was mentioned in my first mail. This username (+password+PSK) are configured on LB F5 in front of the RADIUS PROXY.

>If only there was some kind of debug output which you could post to the list, so that *experts* could read it and give you useful advice
Below a trace involving the local user "healthcheckVIP".

Reminder: the aim is to validate that the condition on &User-Name is acceptable or not. The functional test made by the LB is OK but the implementation on RADIUS side can be improved.... 
Without this condition, I don't understand why although the user was find in files repository, we chain to the perl module...  

Thu Jan  3 15:05:12 2019 : Debug: (2) Received Access-Request Id 152 from 11.126.112.186:38553 to 11.126.109.241:1812 length 95
Thu Jan  3 15:05:12 2019 : Debug: (2)   User-Name = "healthcheckVIP"
Thu Jan  3 15:05:12 2019 : Debug: (2)   User-Password = "xxxxxxxxxx"
Thu Jan  3 15:05:12 2019 : Debug: (2)   NAS-IP-Address = 11.147.11.193
Thu Jan  3 15:05:12 2019 : Debug: (2)   NAS-Identifier = "m880gbigip1-val.fr.eu.airbus.corp"
Thu Jan  3 15:05:12 2019 : Debug: (2) session-state: No State attribute
Thu Jan  3 15:05:12 2019 : Debug: (2) # Executing section authorize from file /etc/raddb/sites-enabled/default
Thu Jan  3 15:05:12 2019 : Debug: (2)   authorize {
Thu Jan  3 15:05:12 2019 : Debug: (2)     policy filter_username {
Thu Jan  3 15:05:12 2019 : Debug: (2)       if (&User-Name) {
Thu Jan  3 15:05:12 2019 : Debug: (2)       if (&User-Name)  -> TRUE
Thu Jan  3 15:05:12 2019 : Debug: (2)       if (&User-Name)  {
Thu Jan  3 15:05:12 2019 : Debug: (2)         if (&User-Name =~ / /) {
Thu Jan  3 15:05:12 2019 : Debug: No matches
Thu Jan  3 15:05:12 2019 : Debug: (2)         if (&User-Name =~ / /)  -> FALSE
Thu Jan  3 15:05:12 2019 : Debug: (2)         if (&User-Name =~ /@[^@]*@/ ) {
Thu Jan  3 15:05:12 2019 : Debug: No matches
Thu Jan  3 15:05:12 2019 : Debug: (2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
Thu Jan  3 15:05:12 2019 : Debug: (2)         if (&User-Name =~ /\.\./ ) {
Thu Jan  3 15:05:12 2019 : Debug: No matches
Thu Jan  3 15:05:12 2019 : Debug: (2)         if (&User-Name =~ /\.\./ )  -> FALSE
Thu Jan  3 15:05:12 2019 : Debug: (2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
Thu Jan  3 15:05:12 2019 : Debug: No matches
Thu Jan  3 15:05:12 2019 : Debug: (2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
Thu Jan  3 15:05:12 2019 : Debug: (2)         if (&User-Name =~ /\.$/)  {
Thu Jan  3 15:05:12 2019 : Debug: No matches
Thu Jan  3 15:05:12 2019 : Debug: (2)         if (&User-Name =~ /\.$/)   -> FALSE
Thu Jan  3 15:05:12 2019 : Debug: (2)         if (&User-Name =~ /@\./)  {
Thu Jan  3 15:05:12 2019 : Debug: No matches
Thu Jan  3 15:05:12 2019 : Debug: (2)         if (&User-Name =~ /@\./)   -> FALSE
Thu Jan  3 15:05:12 2019 : Debug: (2)       } # if (&User-Name)  = notfound
Thu Jan  3 15:05:12 2019 : Debug: (2)     } # policy filter_username = notfound
Thu Jan  3 15:05:12 2019 : Debug: (2)     modsingle[authorize]: calling preprocess (rlm_preprocess)
Thu Jan  3 15:05:12 2019 : Debug: (2)     modsingle[authorize]: returned from preprocess (rlm_preprocess)
Thu Jan  3 15:05:12 2019 : Debug: (2)     [preprocess] = ok
Thu Jan  3 15:05:12 2019 : Debug: (2)     modsingle[authorize]: calling chap (rlm_chap)
Thu Jan  3 15:05:12 2019 : Debug: (2)     modsingle[authorize]: returned from chap (rlm_chap)
Thu Jan  3 15:05:12 2019 : Debug: (2)     [chap] = noop
Thu Jan  3 15:05:12 2019 : Debug: (2)     modsingle[authorize]: calling mschap (rlm_mschap)
Thu Jan  3 15:05:12 2019 : Debug: (2)     modsingle[authorize]: returned from mschap (rlm_mschap)
Thu Jan  3 15:05:12 2019 : Debug: (2)     [mschap] = noop
Thu Jan  3 15:05:12 2019 : Debug: (2)     modsingle[authorize]: calling digest (rlm_digest)
Thu Jan  3 15:05:12 2019 : Debug: (2)     modsingle[authorize]: returned from digest (rlm_digest)
Thu Jan  3 15:05:12 2019 : Debug: (2)     [digest] = noop
Thu Jan  3 15:05:12 2019 : Debug: (2)     modsingle[authorize]: calling suffix (rlm_realm)
Thu Jan  3 15:05:12 2019 : Debug: (2) suffix: Checking for suffix after "@"
Thu Jan  3 15:05:12 2019 : Debug: (2) suffix: No '@' in User-Name = "healthcheckVIP", looking up realm NULL
Thu Jan  3 15:05:12 2019 : Debug: (2) suffix: No such realm "NULL"
Thu Jan  3 15:05:12 2019 : Debug: (2)     modsingle[authorize]: returned from suffix (rlm_realm)
Thu Jan  3 15:05:12 2019 : Debug: (2)     [suffix] = noop
Thu Jan  3 15:05:12 2019 : Debug: (2)     modsingle[authorize]: calling eap (rlm_eap)
Thu Jan  3 15:05:12 2019 : Debug: (2) eap: No EAP-Message, not doing EAP
Thu Jan  3 15:05:12 2019 : Debug: (2)     modsingle[authorize]: returned from eap (rlm_eap)
Thu Jan  3 15:05:12 2019 : Debug: (2)     [eap] = noop
Thu Jan  3 15:05:12 2019 : Debug: (2)     modsingle[authorize]: calling files (rlm_files)
Thu Jan  3 15:05:12 2019 : Warning: Found User-Password == "..."
Thu Jan  3 15:05:12 2019 : Warning: Are you sure you don't mean Cleartext-Password?
Thu Jan  3 15:05:12 2019 : Warning: See "man rlm_pap" for more information
Thu Jan  3 15:05:12 2019 : Debug: (2) files: users: Matched entry healthcheckVIP at line 91
Thu Jan  3 15:05:12 2019 : Debug: (2) files: ::: FROM 0 TO 0 MAX 0
Thu Jan  3 15:05:12 2019 : Debug: (2) files: ::: TO in 0 out 0
Thu Jan  3 15:05:12 2019 : Debug: (2)     modsingle[authorize]: returned from files (rlm_files)
Thu Jan  3 15:05:12 2019 : Debug: (2)     [files] = ok
Thu Jan  3 15:05:12 2019 : Debug: (2)     if (&User-Name != 'healthcheckVIP' && &User-Name != 'monitoringUser') {
Thu Jan  3 15:05:12 2019 : Debug: (2)     if (&User-Name != 'healthcheckVIP' && &User-Name != 'monitoringUser')  -> FALSE
Thu Jan  3 15:05:12 2019 : Debug: (2)     modsingle[authorize]: calling expiration (rlm_expiration)
Thu Jan  3 15:05:12 2019 : Debug: (2)     modsingle[authorize]: returned from expiration (rlm_expiration)
Thu Jan  3 15:05:12 2019 : Debug: (2)     [expiration] = noop
Thu Jan  3 15:05:12 2019 : Debug: (2)     modsingle[authorize]: calling logintime (rlm_logintime)
Thu Jan  3 15:05:12 2019 : Debug: (2)     modsingle[authorize]: returned from logintime (rlm_logintime)
Thu Jan  3 15:05:12 2019 : Debug: (2)     [logintime] = noop
Thu Jan  3 15:05:12 2019 : Debug: (2)     modsingle[authorize]: calling pap (rlm_pap)
Thu Jan  3 15:05:12 2019 : WARNING: (2) pap: Auth-Type already set.  Not setting to PAP
Thu Jan  3 15:05:12 2019 : Debug: (2)     modsingle[authorize]: returned from pap (rlm_pap)
Thu Jan  3 15:05:12 2019 : Debug: (2)     [pap] = noop
Thu Jan  3 15:05:12 2019 : Debug: (2)   } # authorize = ok
Thu Jan  3 15:05:12 2019 : Debug: (2) Found Auth-Type = Accept
Thu Jan  3 15:05:12 2019 : Debug: (2) Auth-Type = Accept, accepting the user
Thu Jan  3 15:05:12 2019 : Debug: (2) # Executing section post-auth from file /etc/raddb/sites-enabled/default
Thu Jan  3 15:05:12 2019 : Debug: (2)   post-auth {
Thu Jan  3 15:05:12 2019 : Debug: (2)     update {
Thu Jan  3 15:05:12 2019 : Debug: (2)       No attributes updated
Thu Jan  3 15:05:12 2019 : Debug: (2)     } # update = noop
Thu Jan  3 15:05:12 2019 : Debug: (2)     modsingle[post-auth]: calling exec (rlm_exec)
Thu Jan  3 15:05:12 2019 : Debug: (2)     modsingle[post-auth]: returned from exec (rlm_exec)
Thu Jan  3 15:05:12 2019 : Debug: (2)     [exec] = noop
Thu Jan  3 15:05:12 2019 : Debug: (2)     policy remove_reply_message_if_eap {
Thu Jan  3 15:05:12 2019 : Debug: (2)       if (&reply:EAP-Message && &reply:Reply-Message) {
Thu Jan  3 15:05:12 2019 : Debug: (2)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
Thu Jan  3 15:05:12 2019 : Debug: (2)       else {
Thu Jan  3 15:05:12 2019 : Debug: (2)         modsingle[post-auth]: calling noop (rlm_always)
Thu Jan  3 15:05:12 2019 : Debug: (2)         modsingle[post-auth]: returned from noop (rlm_always)
Thu Jan  3 15:05:12 2019 : Debug: (2)         [noop] = noop
Thu Jan  3 15:05:12 2019 : Debug: (2)       } # else = noop
Thu Jan  3 15:05:12 2019 : Debug: (2)     } # policy remove_reply_message_if_eap = noop
Thu Jan  3 15:05:12 2019 : Debug: (2)   } # post-auth = noop
Thu Jan  3 15:05:12 2019 : Auth: (2) Login OK: [healthcheckVIP] (from client radius-proxy-v port 0)
Thu Jan  3 15:05:12 2019 : Debug: (2) Sent Access-Accept Id 152 from 11.126.109.241:1812 to 11.126.112.186:38553 length 0
Thu Jan  3 15:05:12 2019 : Debug: (2) Finished request


>        perl
>  What does this do?  You haven't said.
This custom script is *ONLY* used as pass-throughs to forward the requests to the server RADIUS 1 and if the reply is REJECT then the request is sent in failover to server RADIUS 2.   

Thx for your patience

-----Message d'origine-----
De : Freeradius-Users [mailto:freeradius-users-bounces+thierry.calmels.external=airbus.com at lists.freeradius.org] De la part de Alan DeKok
Envoyé : lundi 17 décembre 2018 14:20
À : FreeRadius users mailing list
Objet : Re: Proxy FreeRADIUS Monitoring from LB F5

On Dec 16, 2018, at 2:32 PM, CALMELS, Thierry (SOGETI REGIONS SAS) <thierry.calmels.external at airbus.com> wrote:
>> The configuration you posted here is *not* what I proposed that you use.
>> Please go back and read my message again.
> 
> I reviewed your answer and I updated as you advise but without success.
> 
> The configuration which is working is the below one with the conditional on User-Name.
> I don't find it very sexy!
> 
> files
> if (&User-Name != 'healthcheckVIP') {

  OK, I really dislike this whole process of giving tiny bits of information.  It wastes everyone's time.

  This is the *first* time you mentioned that there's a "healthcheckVIP" user name.  If you had said that at the START of the conversation, I would have been able to give you better advice.

  If you want good answers, ask good questions.  Your questions are vague, and generally don't include relevant information.

>        perl

  What does this do?  You haven't said.

>        if (ok || updated) {
>            update control {
>                Auth-Type := Perl
>            }
>        }
> }
> 
> ================
> I tried to make something like that, but I got the error saying the Auth-Type is not defined.

  <sigh>  If only there was some kind of debug output which you could post to the list, so that *experts* could read it and give you useful advice.

  You're trying to solve the problem without describing it in any detail.  That isn't good.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.



More information about the Freeradius-Users mailing list