Proxy FreeRADIUS Monitoring from LB F5
CALMELS, Thierry (SOGETI REGIONS SAS)
thierry.calmels.external at airbus.com
Mon Jan 7 18:06:14 CET 2019
Hi,
The line 91 contains the user declaration (healthcheckVIP).
The healtcheck is done every 10s.
I reversed the check and I think it's better.
About other specific attribute, you suggest to use the NAS-IP-Address for example in place of User-Name ?..
About the usage of virtual server, I saw that the VS do NOT have to be set up with the "sites-available" and "sites-enabled" directories meaning the configuration must be moved to radiusd.conf. Not easy to do that for the time being without validating again the entire configuration.
Kr
Thierry
-----Message d'origine-----
De : Freeradius-Users [mailto:freeradius-users-bounces+thierry.calmels.external=airbus.com at lists.freeradius.org] De la part de Alan Buxey
Envoyé : jeudi 3 janvier 2019 15:59
À : FreeRadius users mailing list
Objet : Re: Proxy FreeRADIUS Monitoring from LB F5
hi,
found in user file because "files: users: Matched entry healthcheckVIP at
line 91" . - whats in line 91 of your users file?
I would adjust the check.... how often is this health check running? Your
check should be reversed, I think, such that if its
the monitoring user-name then you do X, else do Y. but another thing -
the monitor user will have specific other attributes
that the normal traffic wont have - the NAS-IP-Address or such..you also
want that in as a check item for your logic - be specific
as possible for your health check... would be even better if you could
direct that to its own virtual server but maybe thats too much to ask for.
alan
On Thu, 3 Jan 2019 at 14:50, CALMELS, Thierry (SOGETI REGIONS SAS) <
thierry.calmels.external at airbus.com> wrote:
> Happy new year Alan,
>
> As new resolution, I decided to re-contact you about the same topic^^
> Below, the old thread.
>
> >This is the *first* time you mentioned that there's a "healthcheckVIP"
> user name. If you had said that at the START of the conversation, I would
> have been able to give you better advice.
> Not really - this username was mentioned in my first mail. This username
> (+password+PSK) are configured on LB F5 in front of the RADIUS PROXY.
>
> >If only there was some kind of debug output which you could post to the
> list, so that *experts* could read it and give you useful advice
> Below a trace involving the local user "healthcheckVIP".
>
> Reminder: the aim is to validate that the condition on &User-Name is
> acceptable or not. The functional test made by the LB is OK but the
> implementation on RADIUS side can be improved....
> Without this condition, I don't understand why although the user was find
> in files repository, we chain to the perl module...
>
> Thu Jan 3 15:05:12 2019 : Debug: (2) Received Access-Request Id 152 from
> 11.126.112.186:38553 to 11.126.109.241:1812 length 95
> Thu Jan 3 15:05:12 2019 : Debug: (2) User-Name = "healthcheckVIP"
> Thu Jan 3 15:05:12 2019 : Debug: (2) User-Password = "xxxxxxxxxx"
> Thu Jan 3 15:05:12 2019 : Debug: (2) NAS-IP-Address = 11.147.11.193
> Thu Jan 3 15:05:12 2019 : Debug: (2) NAS-Identifier =
> "m880gbigip1-val.fr.eu.airbus.corp"
> Thu Jan 3 15:05:12 2019 : Debug: (2) session-state: No State attribute
> Thu Jan 3 15:05:12 2019 : Debug: (2) # Executing section authorize from
> file /etc/raddb/sites-enabled/default
> Thu Jan 3 15:05:12 2019 : Debug: (2) authorize {
> Thu Jan 3 15:05:12 2019 : Debug: (2) policy filter_username {
> Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name) {
> Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name) -> TRUE
> Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name) {
> Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name =~ / /) {
> Thu Jan 3 15:05:12 2019 : Debug: No matches
> Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name =~ / /) ->
> FALSE
> Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name =~ /@[^@]*@/
> ) {
> Thu Jan 3 15:05:12 2019 : Debug: No matches
> Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name =~ /@[^@]*@/
> ) -> FALSE
> Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name =~ /\.\./ ) {
> Thu Jan 3 15:05:12 2019 : Debug: No matches
> Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name =~ /\.\./ )
> -> FALSE
> Thu Jan 3 15:05:12 2019 : Debug: (2) if ((&User-Name =~ /@/) &&
> (&User-Name !~ /@(.+)\.(.+)$/)) {
> Thu Jan 3 15:05:12 2019 : Debug: No matches
> Thu Jan 3 15:05:12 2019 : Debug: (2) if ((&User-Name =~ /@/) &&
> (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name =~ /\.$/) {
> Thu Jan 3 15:05:12 2019 : Debug: No matches
> Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name =~ /\.$/)
> -> FALSE
> Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name =~ /@\./) {
> Thu Jan 3 15:05:12 2019 : Debug: No matches
> Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name =~ /@\./)
> -> FALSE
> Thu Jan 3 15:05:12 2019 : Debug: (2) } # if (&User-Name) = notfound
> Thu Jan 3 15:05:12 2019 : Debug: (2) } # policy filter_username =
> notfound
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: calling
> preprocess (rlm_preprocess)
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: returned
> from preprocess (rlm_preprocess)
> Thu Jan 3 15:05:12 2019 : Debug: (2) [preprocess] = ok
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: calling
> chap (rlm_chap)
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: returned
> from chap (rlm_chap)
> Thu Jan 3 15:05:12 2019 : Debug: (2) [chap] = noop
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: calling
> mschap (rlm_mschap)
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: returned
> from mschap (rlm_mschap)
> Thu Jan 3 15:05:12 2019 : Debug: (2) [mschap] = noop
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: calling
> digest (rlm_digest)
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: returned
> from digest (rlm_digest)
> Thu Jan 3 15:05:12 2019 : Debug: (2) [digest] = noop
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: calling
> suffix (rlm_realm)
> Thu Jan 3 15:05:12 2019 : Debug: (2) suffix: Checking for suffix after "@"
> Thu Jan 3 15:05:12 2019 : Debug: (2) suffix: No '@' in User-Name =
> "healthcheckVIP", looking up realm NULL
> Thu Jan 3 15:05:12 2019 : Debug: (2) suffix: No such realm "NULL"
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: returned
> from suffix (rlm_realm)
> Thu Jan 3 15:05:12 2019 : Debug: (2) [suffix] = noop
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: calling
> eap (rlm_eap)
> Thu Jan 3 15:05:12 2019 : Debug: (2) eap: No EAP-Message, not doing EAP
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: returned
> from eap (rlm_eap)
> Thu Jan 3 15:05:12 2019 : Debug: (2) [eap] = noop
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: calling
> files (rlm_files)
> Thu Jan 3 15:05:12 2019 : Warning: Found User-Password == "..."
> Thu Jan 3 15:05:12 2019 : Warning: Are you sure you don't mean
> Cleartext-Password?
> Thu Jan 3 15:05:12 2019 : Warning: See "man rlm_pap" for more information
> Thu Jan 3 15:05:12 2019 : Debug: (2) files: users: Matched entry
> healthcheckVIP at line 91
> Thu Jan 3 15:05:12 2019 : Debug: (2) files: ::: FROM 0 TO 0 MAX 0
> Thu Jan 3 15:05:12 2019 : Debug: (2) files: ::: TO in 0 out 0
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: returned
> from files (rlm_files)
> Thu Jan 3 15:05:12 2019 : Debug: (2) [files] = ok
> Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name !=
> 'healthcheckVIP' && &User-Name != 'monitoringUser') {
> Thu Jan 3 15:05:12 2019 : Debug: (2) if (&User-Name !=
> 'healthcheckVIP' && &User-Name != 'monitoringUser') -> FALSE
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: calling
> expiration (rlm_expiration)
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: returned
> from expiration (rlm_expiration)
> Thu Jan 3 15:05:12 2019 : Debug: (2) [expiration] = noop
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: calling
> logintime (rlm_logintime)
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: returned
> from logintime (rlm_logintime)
> Thu Jan 3 15:05:12 2019 : Debug: (2) [logintime] = noop
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: calling
> pap (rlm_pap)
> Thu Jan 3 15:05:12 2019 : WARNING: (2) pap: Auth-Type already set. Not
> setting to PAP
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[authorize]: returned
> from pap (rlm_pap)
> Thu Jan 3 15:05:12 2019 : Debug: (2) [pap] = noop
> Thu Jan 3 15:05:12 2019 : Debug: (2) } # authorize = ok
> Thu Jan 3 15:05:12 2019 : Debug: (2) Found Auth-Type = Accept
> Thu Jan 3 15:05:12 2019 : Debug: (2) Auth-Type = Accept, accepting the
> user
> Thu Jan 3 15:05:12 2019 : Debug: (2) # Executing section post-auth from
> file /etc/raddb/sites-enabled/default
> Thu Jan 3 15:05:12 2019 : Debug: (2) post-auth {
> Thu Jan 3 15:05:12 2019 : Debug: (2) update {
> Thu Jan 3 15:05:12 2019 : Debug: (2) No attributes updated
> Thu Jan 3 15:05:12 2019 : Debug: (2) } # update = noop
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[post-auth]: calling
> exec (rlm_exec)
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[post-auth]: returned
> from exec (rlm_exec)
> Thu Jan 3 15:05:12 2019 : Debug: (2) [exec] = noop
> Thu Jan 3 15:05:12 2019 : Debug: (2) policy
> remove_reply_message_if_eap {
> Thu Jan 3 15:05:12 2019 : Debug: (2) if (&reply:EAP-Message &&
> &reply:Reply-Message) {
> Thu Jan 3 15:05:12 2019 : Debug: (2) if (&reply:EAP-Message &&
> &reply:Reply-Message) -> FALSE
> Thu Jan 3 15:05:12 2019 : Debug: (2) else {
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[post-auth]:
> calling noop (rlm_always)
> Thu Jan 3 15:05:12 2019 : Debug: (2) modsingle[post-auth]:
> returned from noop (rlm_always)
> Thu Jan 3 15:05:12 2019 : Debug: (2) [noop] = noop
> Thu Jan 3 15:05:12 2019 : Debug: (2) } # else = noop
> Thu Jan 3 15:05:12 2019 : Debug: (2) } # policy
> remove_reply_message_if_eap = noop
> Thu Jan 3 15:05:12 2019 : Debug: (2) } # post-auth = noop
> Thu Jan 3 15:05:12 2019 : Auth: (2) Login OK: [healthcheckVIP] (from
> client radius-proxy-v port 0)
> Thu Jan 3 15:05:12 2019 : Debug: (2) Sent Access-Accept Id 152 from
> 11.126.109.241:1812 to 11.126.112.186:38553 length 0
> Thu Jan 3 15:05:12 2019 : Debug: (2) Finished request
>
>
> > perl
> > What does this do? You haven't said.
> This custom script is *ONLY* used as pass-throughs to forward the requests
> to the server RADIUS 1 and if the reply is REJECT then the request is sent
> in failover to server RADIUS 2.
>
> Thx for your patience
>
> -----Message d'origine-----
> De : Freeradius-Users [mailto:
> freeradius-users-bounces+thierry.calmels.external=
> airbus.com at lists.freeradius.org] De la part de Alan DeKok
> Envoyé : lundi 17 décembre 2018 14:20
> À : FreeRadius users mailing list
> Objet : Re: Proxy FreeRADIUS Monitoring from LB F5
>
> On Dec 16, 2018, at 2:32 PM, CALMELS, Thierry (SOGETI REGIONS SAS) <
> thierry.calmels.external at airbus.com> wrote:
> >> The configuration you posted here is *not* what I proposed that you use.
> >> Please go back and read my message again.
> >
> > I reviewed your answer and I updated as you advise but without success.
> >
> > The configuration which is working is the below one with the conditional
> on User-Name.
> > I don't find it very sexy!
> >
> > files
> > if (&User-Name != 'healthcheckVIP') {
>
> OK, I really dislike this whole process of giving tiny bits of
> information. It wastes everyone's time.
>
> This is the *first* time you mentioned that there's a "healthcheckVIP"
> user name. If you had said that at the START of the conversation, I would
> have been able to give you better advice.
>
> If you want good answers, ask good questions. Your questions are vague,
> and generally don't include relevant information.
>
> > perl
>
> What does this do? You haven't said.
>
> > if (ok || updated) {
> > update control {
> > Auth-Type := Perl
> > }
> > }
> > }
> >
> > ================
> > I tried to make something like that, but I got the error saying the
> Auth-Type is not defined.
>
> <sigh> If only there was some kind of debug output which you could post
> to the list, so that *experts* could read it and give you useful advice.
>
> You're trying to solve the problem without describing it in any detail.
> That isn't good.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> The information in this e-mail is confidential. The contents may not be
> disclosed or used by anyone other than the addressee. Access to this e-mail
> by anyone else is unauthorised.
> If you are not the intended recipient, please notify Airbus immediately
> and delete this e-mail.
> Airbus cannot accept any responsibility for the accuracy or completeness
> of this e-mail as it has been sent over public networks. If you have any
> concerns over the content of this message or its Accuracy or Integrity,
> please contact Airbus immediately.
> All outgoing e-mails from Airbus are checked using regularly updated virus
> scanning software but you should take whatever measures you deem to be
> appropriate to ensure that this message and any attachments are virus free.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
More information about the Freeradius-Users
mailing list