RE: Reals Based Upon Port
Thanks for the reply, here is what I am trying to do External Servers Send Requests To - 1812,1813 --- FreeRadiusd -- Backend_Servers_Set01 (1812,1813) External Servers Send Requests To - 1815,1816 -- FreeRadiusd -- Backend_Servers_Set02 (1815,1816) I guess I am not sure where the listen section goes? Maybe I removed it from my proxy.conf file? -Original Message- From: freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org [mailto:freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, December 16, 2010 3:07 AM To: FreeRadius users mailing list Subject: Re: Reals Based Upon Port Brian Carpio wrote: I'm pretty clear on how I would add a new home_server_pool called like alt-server-balance with the other two home_servers defined which listen on the 1815,1816 the part I am confused about is how to define the new realm, since I'm using DEFAULT to send all traffic to server-balance how do I define a new realm which will accept traffic on 1815,1816 and send it to alt-server-balance. I hope that makes sense. No. You've confused *incoming* connections with *outgoing* connections. Realms allow you to send packets to outgoing connections. Realms do *not* accept traffic. You're stuck on implementing a particular solution. Instead, focus on the problem. It will usually be easier than you think. Draw a diagram of how you want packets to flow in/out of the server. Incoming packets require a listen section. Outgoing packets require a home_server definition. The glue in between is the realms, and/or the policies you want to configure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Reals Based Upon Port
Hmm my line breaks where removed from my email External Servers Send Requests To - 1812,1813 --- FreeRadiusd -- Backend_Servers_Set01 (1812,1813) External Servers Send Requests To - 1815,1816 -- FreeRadiusd -- Backend_Servers_Set02 (1815,1816) Lets try agian -Original Message- From: freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org [mailto:freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org] On Behalf Of Brian Carpio Sent: Friday, December 17, 2010 9:10 AM To: FreeRadius users mailing list Subject: RE: Reals Based Upon Port Thanks for the reply, here is what I am trying to do External Servers Send Requests To - 1812,1813 --- FreeRadiusd -- Backend_Servers_Set01 (1812,1813) External Servers Send Requests To - 1815,1816 -- FreeRadiusd -- Backend_Servers_Set02 (1815,1816) I guess I am not sure where the listen section goes? Maybe I removed it from my proxy.conf file? -Original Message- From: freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org [mailto:freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, December 16, 2010 3:07 AM To: FreeRadius users mailing list Subject: Re: Reals Based Upon Port Brian Carpio wrote: I'm pretty clear on how I would add a new home_server_pool called like alt-server-balance with the other two home_servers defined which listen on the 1815,1816 the part I am confused about is how to define the new realm, since I'm using DEFAULT to send all traffic to server-balance how do I define a new realm which will accept traffic on 1815,1816 and send it to alt-server-balance. I hope that makes sense. No. You've confused *incoming* connections with *outgoing* connections. Realms allow you to send packets to outgoing connections. Realms do *not* accept traffic. You're stuck on implementing a particular solution. Instead, focus on the problem. It will usually be easier than you think. Draw a diagram of how you want packets to flow in/out of the server. Incoming packets require a listen section. Outgoing packets require a home_server definition. The glue in between is the realms, and/or the policies you want to configure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reals Based Upon Port
Brian Carpio wrote: Thanks for the reply, here is what I am trying to do External Servers Send Requests To - 1812,1813 --- FreeRadiusd -- Backend_Servers_Set01 (1812,1813) External Servers Send Requests To - 1815,1816 -- FreeRadiusd -- Backend_Servers_Set02 (1815,1816) I guess I am not sure where the listen section goes? radiusd.conf.Or, read raddb/sites-available/README Maybe I removed it from my proxy.conf file? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Reals Based Upon Port
/
end radiusd.conf -
What would happen is that the radiusd requests wheren't being proxies any more,
freeradius was trying to authenticate the user
--- output from radiusd -X
rad_recv: Access-Request packet from host 192.168.180.110 port 58754, id=13,
length=112
User-Name = tuser10104
User-Password = password
Calling-Station-Id = 00-90-4b-13-a3-8a
Acct-Session-Id = 1000
Framed-IP-Address = 70.3.0.99
Cisco-Service-Info = Time 0, Content 0
NAS-IP-Address = 192.168.181.29
server default {
WARNING: Empty section. Using default return values.
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
} # server default
Using Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform
requested action.
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 13 to 192.168.180.110 port 58754
Waking up in 4.9 seconds.
Cleaning up request 0 ID 13 with timestamp +20
Ready to process requests.
end output -
I even tried to add virtual_server = default to the proxy.conf but that didn't
seem to work either... Sorry I am probably making this more difficult then it
needs to be, but again I simply want to use freeradius as a load balancer /
proxy server.
Thanks,
Brian Carpio
-Original Message-
From: freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org
[mailto:freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org] On
Behalf Of Alan DeKok
Sent: Friday, December 17, 2010 9:31 AM
To: FreeRadius users mailing list
Subject: Re: Reals Based Upon Port
Brian Carpio wrote:
Thanks for the reply, here is what I am trying to do
External Servers Send Requests To - 1812,1813 --- FreeRadiusd --
Backend_Servers_Set01 (1812,1813) External Servers Send Requests To -
1815,1816 -- FreeRadiusd -- Backend_Servers_Set02 (1815,1816)
I guess I am not sure where the listen section goes?
radiusd.conf.Or, read raddb/sites-available/README
Maybe I removed it from my proxy.conf file?
No.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reals Based Upon Port
Brian Carpio wrote:
Thanks for your help Alan, but I think I am not giving you the right
information.. (that or I don't understand the README)
So we are using freeradius for proxying requests to different backend servers
only (basically using freeradius as a load balancer), we aren't using it to
actually authenticate users at all, when we simply wanted to listen on 1812
and 1813 and proxy to multiple home_servers on 1812 and 1813 everything works
fine
So set Proxy-To-Realm manually. The virtual server sections need
to be little more than:
server x {
listen {
type = ...
ipaddr = ...
}
authorize {
update control {
Proxy-To-Realm := 'x
}
}
preacct {
update control {
Proxy-To-Realm := 'x
}
}
}
Really. That's *it*. Fill in the listen config. Define the
realms, and use the ~20 lines of text above.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Reals Based Upon Port
Thanks this is working perfectly now!
-Original Message-
From: freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org
[mailto:freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org] On
Behalf Of Alan DeKok
Sent: Friday, December 17, 2010 1:32 PM
To: FreeRadius users mailing list
Subject: Re: Reals Based Upon Port
Brian Carpio wrote:
Thanks for your help Alan, but I think I am not giving you the right
information.. (that or I don't understand the README)
So we are using freeradius for proxying requests to different backend
servers only (basically using freeradius as a load balancer), we
aren't using it to actually authenticate users at all, when we simply
wanted to listen on 1812 and 1813 and proxy to multiple home_servers
on 1812 and 1813 everything works fine
So set Proxy-To-Realm manually. The virtual server sections need to be
little more than:
server x {
listen {
type = ...
ipaddr = ...
}
authorize {
update control {
Proxy-To-Realm := 'x
}
}
preacct {
update control {
Proxy-To-Realm := 'x
}
}
}
Really. That's *it*. Fill in the listen config. Define the realms, and
use the ~20 lines of text above.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reals Based Upon Port
Brian Carpio wrote: I'm pretty clear on how I would add a new home_server_pool called like alt-server-balance with the other two home_servers defined which listen on the 1815,1816 the part I am confused about is how to define the new realm, since I'm using DEFAULT to send all traffic to server-balance how do I define a new realm which will accept traffic on 1815,1816 and send it to alt-server-balance. I hope that makes sense. No. You've confused *incoming* connections with *outgoing* connections. Realms allow you to send packets to outgoing connections. Realms do *not* accept traffic. You're stuck on implementing a particular solution. Instead, focus on the problem. It will usually be easier than you think. Draw a diagram of how you want packets to flow in/out of the server. Incoming packets require a listen section. Outgoing packets require a home_server definition. The glue in between is the realms, and/or the policies you want to configure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Reals Based Upon Port
So I am still a bit confused by this (I'm just now getting back to this issue).
So I have the following setup:
- Radiusd Server
-- 2 home_servers listening on 1812 and 1813
-- 2 home_servers listening on 1815 and 1816
In my proxy.conf I have the following:
proxy server {
default_fallback = no
}
home_server server01 {
type = auth+acct
ipaddr = server01
port = 1812,1813
secret = s3cret
require_message_authenticator = no
response_window = 20
zombie_period = 10
status_check = request
username = t...@test.com
password = s3cret
check_interval = 5
num_answers_to_alive = 3
}
home_server server02 {
type = auth+acct
ipaddr = server02
port = 1812,1813
secret = s3cret
require_message_authenticator = no
response_window = 20
zombie_period = 10
status_check = request
username = t...@test.com
password = s3cret
check_interval = 5
num_answers_to_alive = 3
}
home_server_pool server-balance {
type = load-balance
home_server = server01
home_server = server02
}
realm DEFAULT {
pool = server-balance
nostrip
}
I'm pretty clear on how I would add a new home_server_pool called like
alt-server-balance with the other two home_servers defined which listen on the
1815,1816 the part I am confused about is how to define the new realm, since
I'm using DEFAULT to send all traffic to server-balance how do I define a new
realm which will accept traffic on 1815,1816 and send it to alt-server-balance.
I hope that makes sense.
Thanks,
Brian Carpio
-Original Message-
From: freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org
[mailto:freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org] On
Behalf Of Alan DeKok
Sent: Wednesday, August 18, 2010 7:09 PM
To: FreeRadius users mailing list
Subject: Re: Reals Based Upon Port
Brian Carpio wrote:
Currently I am using freeradius2-2.1.8-2 to load balance radius traffic
between two hosts, I have a single realm DEFAULT setup which proxies the
radius traffic between the two servers and that works great, however now I
have an unusual need to proxy auth/acct radius traffic to non standard ports
and I'm unsure how (or even it's even possible) to setup a new realm which is
based on destination port for instance.
Read raddb/proxy.conf. Look for port. This is documented.
- NOTE: Traffic coming into freeradius on 1815/1816 will be sent to this Alt
realm...
Set up a virtual server to handle requests sent to those ports. See
raddb/sites-available/README
I am just wondering if this is possible. Or if I would need to setup another
instance of freeradius with its own configuration to do this alternative
ports setup.
No.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reals Based Upon Port
Hi, Currently I am using freeradius2-2.1.8-2 to load balance radius traffic between two hosts, I have a single realm DEFAULT setup which proxies the radius traffic between the two servers and that works great, however now I have an unusual need to proxy auth/acct radius traffic to non standard ports and I'm unsure how (or even it's even possible) to setup a new realm which is based on destination port for instance. Default Server 1 - Auth/Acct - Port 1812,1813 Default Server 2 - Auth/Acct - Port 1812,1813 Pool Default - Default Server 1 - Default Server 2 Realm Default - Pool Default - NOTE: Traffic coming into freeradius on the standard 1812/1813 ports will be sent to this default realm (which I have working perfectly now) Up to this point I have it all working Alt Server 1 - Auth/Acct - Port 1815/1816 Alt Server 2 - Auth/Acct - Port 1815/1816 Pool Alt - Alt Server 1 - Alt Server 2 Realm Alt - Pool Alt - NOTE: Traffic coming into freeradius on 1815/1816 will be sent to this Alt realm... I am just wondering if this is possible. Or if I would need to setup another instance of freeradius with its own configuration to do this alternative ports setup. Thanks a lot! Brian Carpio Senior Systems Engineer Office: +1.303.962.7242 Mobile: +1.720.319.8617 Email: bcar...@broadhop.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reals Based Upon Port
Brian Carpio wrote: Currently I am using freeradius2-2.1.8-2 to load balance radius traffic between two hosts, I have a single realm DEFAULT setup which proxies the radius traffic between the two servers and that works great, however now I have an unusual need to proxy auth/acct radius traffic to non standard ports and I'm unsure how (or even it's even possible) to setup a new realm which is based on destination port for instance. Read raddb/proxy.conf. Look for port. This is documented. - NOTE: Traffic coming into freeradius on 1815/1816 will be sent to this Alt realm... Set up a virtual server to handle requests sent to those ports. See raddb/sites-available/README I am just wondering if this is possible. Or if I would need to setup another instance of freeradius with its own configuration to do this alternative ports setup. No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
