Proxy FreeRADIUS Monitoring from LB F5

Alan DeKok aland at deployingradius.com
Fri Jan 4 20:23:58 CET 2019 

On Jan 3, 2019, at 9:50 AM, CALMELS, Thierry (SOGETI REGIONS SAS) <thierry.calmels.external at airbus.com> wrote:
>> This is the *first* time you mentioned that there's a "healthcheckVIP" user name.  If you had said that at the START of the conversation, I would have been able to give you better advice.
> Not really - this username was mentioned in my first mail. This username (+password+PSK) are configured on LB F5 in front of the RADIUS PROXY.

  I went back and looked before I had sent that message.  I didn't see it

>> If only there was some kind of debug output which you could post to the list, so that *experts* could read it and give you useful advice
> Below a trace involving the local user "healthcheckVIP".
> 
> Reminder: the aim is to validate that the condition on &User-Name is acceptable or not. The functional test made by the LB is OK but the implementation on RADIUS side can be improved.... 
> Without this condition, I don't understand why although the user was find in files repository, we chain to the perl module...  

  The problem is we're playing a game of "twenty questions" here.  You're giving little bits of information in each message.  You're not *fully* describing what you want.

  When you make it hard for me to help you, I'm inclined to just give up.  Such as this:

> Thu Jan  3 15:05:12 2019 : Debug: (2) Received Access-Request Id 152 from 11.126.112.186:38553 to 11.126.109.241:1812 length 95
> Thu Jan  3 15:05:12 2019 : Debug: (2)   User-Name = "healthcheckVIP"
> Thu Jan  3 15:05:12 2019 : Debug: (2)   User-Password = "xxxxxxxxxx"

  Really?  *ALL* of the documentation says to post "radiusd -X".  Not "-XXXxxxxxxx".

  When it's clear you're not following the documentation *and* are making it hard for me to help you, that's frustrating.  Why do this?

  You're in the classic problem of trying all kinds of different solutions, when you don't have a clear description of the problem.  Write down a clear description of the problem, and the solution should be pretty simple:

* When the server gets an Access-Request from the F5 IP
  AND the Access-Request contains User-Name == "healthcheckVIP"
  AND the User-Password is XXX
  THEN return Access-Accept containing .... attributes.

  You can write that down almost exactly like that in "unlang", with a few simple "if" statements, and an "update" section.  It really is that simple.

  Stop trying to understand whatever complex solution you've come up with.  It's clearly not working.  In large part because you don't have a clear description of the problem, *and* because you're not clear on how the server works.

  It really is that simple:  IF A && B && C then D.

  Alan DeKok.

More information about the Freeradius-Users mailing list