TLS failover behaviour and a backtrace if want it.
FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST)
andy.franks1 at nhs.net
Mon Nov 18 14:44:25 CET 2019
Hi,
Using 3.0.19 on Ubuntu from the Ubuntu networkradius repo.
I've been doing some testing on tls proxy connections.
sites-enabled/tls below.
home_server rsh-haproxy-rp1 {
ipaddr = 192.168.110.46
port = 2083
type = auth
secret = radsec
proto = tcp
status_check = none
tls {
private_key_file = /etc/freeradius/certs/privkey.pem
certificate_file = /etc/freeradius/certs/fullchain.pem
ca_file = /etc/ssl/certs/ca-certificates.crt
dh_file = ${certdir}/dh
random_file = /dev/urandom
fragment_size = 8192
ca_path = ${cadir}
cipher_list = "DEFAULT"
}
limit {
idle_timeout = 0
}
}
home_server prh-haproxy-rp1 {
ipaddr = 192.168.12.200
port = 2083
type = auth
secret = radsec
proto = tcp
status_check = none
tls {
private_key_file = /etc/freeradius/certs/privkey.pem
certificate_file = /etc/freeradius/certs/fullchain.pem
ca_file = /etc/ssl/certs/ca-certificates.crt
dh_file = ${certdir}/dh
random_file = /dev/urandom
fragment_size = 8192
ca_path = ${cadir}
cipher_list = "DEFAULT"
}
}
home_server_pool some_radius_servers {
type = fail-over
home_server = rsh-haproxy-rp1
home_server = prh-haproxy-rp1
}
realm DEFAULT {
auth_pool = some_radius_servers
}
Firstly, I must admit I expected failover to be "within same request", but it takes a repeat request from the client should a tls server be unavailable. I guess this is just me misunderstanding the failover for tls, I assumed same as something like a redundant {} section.
If the server isn't listening on 2083, i.e. service stopped:
..
(1) Starting proxy to home server 192.168.110.46 port 2083
(1) server default {
(1) }
Failed opening new proxy socket 'proxy (0.0.0.0, 0) -> home_server (192.168.110.46, 2083)' : Failed connecting socket: Connection refused
(1) Failed to insert request into the proxy list
(1) There was no response configured: rejecting request
..
If the client repeats the request, it tries the next server ok, but I'd be a little concerned some might not after a direct reject reply.
Could someone please confirm this is by design?
Also, I'm noticing a crash if the home server pool is depleted to zero, i.e. all servers are down. It's unlikely to happen, but you may be interested in coding these out.
..
(2) } # authorize = updated
(2) ERROR: Failed to find live home server: Cancelling proxy
(2) WARNING: No home server selected
(2) Clearing existing &reply: attributes
(2) Found Post-Proxy-Type Fail-Authentication
Thread 3 "freeradius" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe552e700 (LWP 169613)]
0x0000555555587c8b in ?? ()
(gdb) bt
#0 0x0000555555587c8b in ?? ()
#1 0x000055555558e61a in ?? ()
#2 0x0000555555586a75 in ?? ()
#3 0x00007ffff6bde6db in start_thread (arg=0x7fffe552e700) at pthread_create.c:463
#4 0x00007ffff644b88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Thanks
Andy
********************************************************************************************************************
This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation.
NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.
For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail
More information about the Freeradius-Users
mailing list