Handling unreliable proxy partners
Peter Lambrechtsen
peter at crypt.nz
Wed May 19 20:51:14 CEST 2021
On Thu, 20 May 2021 at 05:37, Alan DeKok <aland at deployingradius.com> wrote:
> On May 19, 2021, at 1:20 PM, Paul Moser via Freeradius-Users <
> freeradius-users at lists.freeradius.org> wrote:
> > We'd also like a manual mechanism that our support team can trigger to
> cover other failure scenarios, eg the remote radius server is incorrectly
> returning access-reject for all valid users, and those scenarios that we
> haven't been able to think of but will occur, inevitably at the most
> inconvenient of times.
> >
> > My first attempt at this was that the support team could use radmin to
> set the home servers to dead which would mean packets were routed via the
> falback virtual server. I initially thought this worked as a solution, but
> if FreeRadius is doing status checks against the remote servers then it
> will automatically bring them back into service as long as the status check
> requests are responding, which if say the remote partner is responding with
> access-rejects to even valid users is not what you want.
>
> Yes. The server tries very hard to proxy packets.
>
> > One idea I haven't explored is having two copies of each virtual server,
> in different files, one for the normal situation and one for the failure
> situation and switching which one to use using symlinks and radmin to
> reload the configuration.
>
> That's probably too complex. I wouldn't recommend it.
>
> > So far what I have come up with so far is within a virtual server
> pre-proxy section to use the exec module to call a simple shell script that
> check for the presence of flag files indicating which if any partners are
> in a bad state. The support team are responsible for creating these files.
> If any flag files are present the the script adds a radius attribute for
> each, the value indicating which partner. In the pre-proxy section I can
> then check for this attribute and value if it indicates that the partner
> the virtual server is handling is in a failure state then call accept from
> the always module which will cancel the proxying attempt and send an
> access-accept. We can also call any policy that would also get called in
> the fallback virtual server or Post-Proxy-Type Fail-Authentication if we
> want common radius attributes to be returned in the response to apply some
> sort of QoS restriction.
> >
> > The rlm_exec documentation states using exec is very slow and something
> like the perl module would be more appropriate for a live environment.
> Before I carry on down the path of performance testing this and trying
> perl/python/rest/custom C module does anyone have any thoughts/observations
> or alternative suggestions?
>
> Use "rlm_always". From the Changelog for 3.0.22:
>
> * New xlat for setting status of rlm_always instances and new
> resource-check example virtual server for manipulating control
> flow
> in unlang policies based on status of some external resource.
> Patches from Terry Burton.
>
>
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/always#L35
>
> You can also also use "radmin" to poke the "always" configuration live:
>
> radmin> set module config always rcode fail
>
> The idea would be to create an instance of the "always" module, for each
> home server / pool you're proxying to. You can then do something like:
>
> always server_x_status {
> rcode = ok
> }
>
> and then
>
> server_x_status
> if (ok) {
> proxy to server x
> }
>
> And then you can set that to ok / fail, depending on whatever you want.
>
> Alan DeKok.
I found Replicate-To-Realm very useful here. I could proxy the request to a
secondary server to process the request and create the database entries and
check if the password was correct and decided if I needed to update the
database or not out of band from the main instance as the database couldn’t
write as quickly as FR could process requests.
I can dig up the code and sanitise it and post it publicly if that would
help. It was using FR3 and an LDAP backend and dynamic clients. I remember
asking if dynamic realms would be possible but it turns out it’s just
easier having a static file and doing rolling updates of the proxies when a
new realm came onboard.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list