Hi,
With pre3 release, I am seeing the following problem when I am testing
with proxying set up to a REALM which is has two radius servers for
fail_over.
In the REALM NULL, I set up two radius servers, but I only have the
second one listed running. When a request comes in, it tries the first
one but no replies from there for 3 retries as expected. What I expect
to happen next is to send the request to the second one which is
running. However, the behavior that I see is it first marks the host
from a totally unrelated realm as dead first and then the one that did
not answer as dead. And, it did not send to the second radius server
set up. I have copied, relevent sections from radiusd.conf, proxy.conf
files and also the debug run output of what I just described.
Radiusd.conf
-------------
realm suffix {
format = suffix
delimiter = @
ignore_default = yes
ignore_null = no
}
And, I have suffix listed in authorize and preacct sections.
Proxy.conf
-----------
realm engineering.verniernetworks.com {
type = radius
authhost = 192.168.10.43:1812
accthost = 192.168.10.43:1813
secret = vernier
ldflag = fail_over
nostrip
}
realm NULL {
type = radius
authhost = 192.168.10.43:1812
accthost = 192.168.10.43:1813
secret = vernier
ldflag = fail_over
nostrip
}
realm NULL {
type = radius
authhost = 192.168.10.43:2004
accthost = 192.168.10.43:2005
secret = vernier
ldflag = fail_over
nostrip
}
Debug Run log:
---------------
rad_recv: Access-Request packet from host 192.168.10.113:1026, id=104,
length=20
1
--- Walking the entire request list ---
Waking up in 31 seconds...
Threads: total/active/spare threads = 5/0/5
Thread 1 got semaphore
Thread 1 handling request 0, (1 handled so far)
Framed-MTU = 1466
NAS-IP-Address = 192.168.10.113
NAS-Identifier = "D-link Corp. Access Point"
User-Name = "user_1"
Service-Type = Framed-User
NAS-Port = 65
NAS-Port-Type = Wireless-802.11
NAS-Port-Id = "ether2_65"
Called-Station-Id = "00-05-5d-99-5f-3a"
Calling-Station-Id = "00-30-65-24-4c-5b"
Connect-Info = "CONNECT Ethernet 0Mbps Full duplex"
EAP-Message = 0x0202000b01757365725f31
Message-Authenticator = 0x004068846052c8bf92b6db7610fdf43d
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
rlm_realm: No '@' in User-Name = "user_1", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Proxying request from user user_1 to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Preparing to proxy authentication request to realm "NULL"
modcall[authorize]: module "suffix" returns updated for request 0
radius_xlat: '/var/log/radius//auth-detail-20040707'
rlm_detail: /var/log/radius/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /
var/log/radius//auth-detail-20040707
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_eap: Request is supposed to be proxied to Realm NULL. Not doing
EAP.
modcall[authorize]: module "eap" returns noop for request 0
xmlrpcAuthorize called.
FRXmlRpcModule::authorize called.
FRXmlRpcModule::authorize vpUsername found.
Proxying is turned on.
modcall[authorize]: module "xmlrpc" returns noop for request 0
modcall: group authorize returns updated for request 0
Processing the pre-proxy section of radiusd.conf
modcall: entering group pre-proxy for request 0
radius_xlat: '/var/log/radius//pre-proxy-detail-20040707'
rlm_detail: /var/log/radius/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
expands
to /var/log/radius//pre-proxy-detail-20040707
modcall[pre-proxy]: module "pre_proxy_log" returns ok for request 0
modcall: group pre-proxy returns ok for request 0
Sending Access-Request of id 0 to 192.168.10.43:1812
Framed-MTU = 1466
NAS-IP-Address = 192.168.10.113
NAS-Identifier = "D-link Corp. Access Point"
User-Name = "user_1"
Service-Type = Framed-User
NAS-Port = 65
NAS-Port-Type = Wireless-802.11
NAS-Port-Id = "ether2_65"
Called-Station-Id = "00-05-5d-99-5f-3a"
Calling-Station-Id = "00-30-65-24-4c-5b"
Connect-Info = "CONNECT Ethernet 0Mbps Full duplex"
EAP-Message = 0x0202000b01757365725f31
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x313034
Thread 1 waiting to be assigned a request
rad_recv: Access-Request packet from host 192.168.10.113:1026, id=104,
length=20
1
Ignoring duplicate packet from client DLink-7000AP:1026 - ID: 104, due
to outsta
nding proxied request 0.
--- Walking the entire request list ---
Re-sending Access-Request of id 0 to 192.168.10.43:1812
Framed-MTU = 1466
NAS-IP-Address = 192.168.10.113
NAS-Identifier = "D-link Corp. Access Point"
User-Name = "user_1"
Service-Type = Framed-User
NAS-Port = 65
NAS-Port-Type = Wireless-802.11
NAS-Port-Id = "ether2_65"
Called-Station-Id = "00-05-5d-99-5f-3a"
Calling-Station-Id = "00-30-65-24-4c-5b"
Connect-Info = "CONNECT Ethernet 0Mbps Full duplex"
EAP-Message = 0x0202000b01757365725f31
Message-Authenticator = 0x00000000000000000000000000000000
Realm = "NULL"
EAP-Type = Identity
Realm = "NULL"
Proxy-State = 0x313034
Waking up in 5 seconds...
--- Walking the entire request list ---
Re-sending Access-Request of id 0 to 192.168.10.43:1812
Framed-MTU = 1466
NAS-IP-Address = 192.168.10.113
NAS-Identifier = "D-link Corp. Access Point"
User-Name = "user_1"
Service-Type = Framed-User
NAS-Port = 65
NAS-Port-Type = Wireless-802.11
NAS-Port-Id = "ether2_65"
Called-Station-Id = "00-05-5d-99-5f-3a"
Calling-Station-Id = "00-30-65-24-4c-5b"
Connect-Info = "CONNECT Ethernet 0Mbps Full duplex"
EAP-Message = 0x0202000b01757365725f31
Message-Authenticator = 0x00000000000000000000000000000000
Realm = "NULL"
EAP-Type = Identity
Realm = "NULL"
Proxy-State = 0x313034
Waking up in 5 seconds...
--- Walking the entire request list ---
Server rejecting request 0.
marking authentication server 192.168.10.43:1812 for realm
engineering.vernierne
tworks.com dead
marking authentication server 192.168.10.43:1812 for realm NULL dead
Waking up in 0 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 104 to 192.168.10.113:1026
Cleaning up request 0 ID 104 with timestamp 40ec4c8b
Nothing to do. Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
