Route through post-proxy not working when no live home servers are available - (3.0.20)

João Vitor Arruda joao.arruda at gmail.com
Wed Apr 15 18:36:59 CEST 2020


Hello there I would like to request your help to see why we are facing
this issue that was supposedly fixed in
https://github.com/FreeRADIUS/freeradius-server/pull/2072
We have a server configured to proxy to an upstream server and the
"post-proxy" configured with "Post-Proxy-Type Fail-Authentication"
(tested with "Post-Proxy-Type Fail" too) to not respond.

When the upstream server does not reply (either before or after
starting the zombie period) the post-proxy section is invoked and
works as expected as you can see in the log bellow (some lines were
suppressed):

(1) Received Access-Request Id 4 from [IPv6_HERE]:1812 to
[IPv6_HERE]:1812 length 371
(1) Starting proxy to home server 192.168.100.10 port 1812
(1) Proxying request to home server 192.168.100.10 port 1812 timeout 5.000000
(1) Sent Access-Request Id 188 from 0.0.0.0:41510 to
192.168.100.10:1812 length 398
(1) Expecting proxy response no later than 4.667684 seconds from now
(1) No proxy response, giving up on request and marking it done
Marking home server 192.168.100.10 port 1812 as zombie (it has not
responded in 5.000000 seconds).
(1) ERROR: Failing proxied request for user "deadbeefcafe", due to
lack of any response from home server 192.168.100.10 port 1812
(1) Clearing existing &reply: attributes
(1) Found Post-Proxy-Type Fail-Authentication
(1) server default {
(1)   # Executing group from file /etc/raddb/sites-enabled/default
(1)     Post-Proxy-Type Fail-Authentication {
(1)       if ((NAS-Port-Type == Ethernet) || (Service-Type ==
Call-Check) || (Service-Type == Framed-User)) {
(1)       if ((NAS-Port-Type == Ethernet) || (Service-Type ==
Call-Check) || (Service-Type == Framed-User)) -> TRUE
(1)       if ((NAS-Port-Type == Ethernet) || (Service-Type ==
Call-Check) || (Service-Type == Framed-User)) {
(1)         update control {
(1)           &Response-Packet-Type := Do-Not-Respond
(1)         } # update control = noop
(1)       } # if ((NAS-Port-Type == Ethernet) || (Service-Type ==
Call-Check) || (Service-Type == Framed-User))  = noop
(1)     } # Post-Proxy-Type Fail-Authentication = noop
(1) }
(1) Login incorrect (Home Server failed to respond): [deadbeefcafe]
(from client any_ipv6 port 111 cli de-ad-be-ef-ca-fe)
(1) Not responding to request
(1) # Executing section post-auth from file /etc/raddb/sites-enabled/default

But when the upstream server is marked as DEAD the post-proxy section
is never invoked as you can see in the log bellow (some lines were
suppressed):

(60) Received Access-Request Id 216 from [IPv6_HERE]:1812 to
[IPv6_HERE]:1812 length 371
(60) ERROR: Failed to find live home server: Cancelling proxy
(60) WARNING: No home server selected
(60) There was no response configured: rejecting request
(60) Using Post-Auth-Type Reject
(60) # Executing group from file /etc/raddb/sites-enabled/default
(60)   Post-Auth-Type REJECT {
(60) Login incorrect (Failed to find live home server: Cancelling
proxy): [deadbeefcafe ] (from client any_ipv6 port 111 cli
de-ad-be-ef-ca-fe)
(60) Sent Access-Reject Id 216 from [ IPv6_HERE]:1812 to [ IPv6_HERE
]:1812 length 20

Thanks for your help.
Regards,
Joao Arruda


More information about the Freeradius-Users mailing list