Re: Proxy to multiple servers in FR 2.1.7

Fri, 13 Nov 2009 00:28:33 -0800 

Hi Craig,
Thanks for you response. I have tried to implement this but Im going wrong somewhere. Below I will show my configuration, then the debug that shows what the server is doing. 

First my 2 detail files.

modules/detail:
---------------

detail detail-radrelay {
       detailfile = ${radacctdir}/detail-combined
       detailperm = 0600
       dirperm = 0755
       locking = yes
}

detail detail-radrelay2 {
       detailfile = ${radacctdir}/detail-combined2
       detailperm = 0600
       dirperm = 0755
       locking = yes
}


Then in my accounting section I write incoming packets to both detail files.

sites-enable/default:

accounting {
       detail-radrelay
       detail-radrelay2
}


The above then writes any incoming packets to 2 files "detail-combined" 
and "detail-combined2". Cool, so now I need to process one and send it 
to server A and process the other and send it to server B.



I already have the following which processes detail-combined and sends 
to server A (for all realms).


proxy.conf:
-----------

home_server copy-acct-to-home-server {
       type   = acct
       ipaddr = server.A.ip
       port   = 1813
       secret = server_A_secret
}

home_server_pool my_acct_failover {
       home_server = copy-acct-to-home-server
}

realm DEFAULT {
       acct_pool = my_acct_failover
       nostrip
}


sites-enabled/copy-acct-to-home-server:
---------------------------------------

server copy-acct-to-home-server {
       listen {
               type = detail
               filename = ${radacctdir}/detail-combined
       }
       accounting {
                  ok
       }
}



So now there is already a home_server_pool assigned to the default 
realm, but I continue and create a home_server entry for server B


proxy.conf (now including home_server entry for server B):
----------------------------------------------------------

home_server copy-acct-to-home-server {
       type   = acct
       ipaddr = server.A.ip
       port   = 1813
       secret = server_A_secret
}

home_server copy-acct-to-server-B {
       type   = acct
       ipaddr = server.B.ip
       port   = 1813
       secret = server_B_secret
}

home_server_pool my_acct_failover {
       home_server = copy-acct-to-home-server
}

realm DEFAULT {
       acct_pool = my_acct_failover
       nostrip
}


And corresponding sites-enabled files.

sites-enabled/copy-acct-to-home-server:
---------------------------------------

server copy-acct-to-home-server {
       listen {
               type = detail
               filename = ${radacctdir}/detail-combined
       }
       accounting {
                  ok
       }
}

sites-enabled/copy-acct-to-server-B:
---------------------------------------

server copy-acct-to-home-server {
       listen {
               type = detail
               filename = ${radacctdir}/detail-combined2
       }
       accounting {
                  ok
       }
}



Now I fire up radiusd in debug mode and send a test packet to the server 
to see what it does. As the debug shows, it gets the packet, writes it 
to the detail-combined2. Then the listener copy-acct-to-server-B picks 
up the detail-combined2 and processes it, but instead of sending to 
server B its sending to server A


Fri Nov 13 09:19:57 2009 : Debug:  Module: Instantiating detail-radrelay2
Fri Nov 13 09:19:57 2009 : Debug:   detail detail-radrelay2 {

Fri Nov 13 09:19:57 2009 : Debug:       detailfile = 
"/var/log/radius/radacct/detail-combined2"

Fri Nov 13 09:19:57 2009 : Debug:       header = "%t"
Fri Nov 13 09:19:57 2009 : Debug:       detailperm = 384
Fri Nov 13 09:19:57 2009 : Debug:       dirperm = 493
Fri Nov 13 09:19:57 2009 : Debug:       locking = yes
Fri Nov 13 09:19:57 2009 : Debug:       log_packet_header = no
Fri Nov 13 09:19:57 2009 : Debug:   }
Fri Nov 13 09:19:57 2009 : Debug:  Module: Instantiating detail-radrelay
Fri Nov 13 09:19:57 2009 : Debug:   detail detail-radrelay {

Fri Nov 13 09:19:57 2009 : Debug:       detailfile = 
"/var/log/radius/radacct/detail-combined"

Fri Nov 13 09:19:57 2009 : Debug:       header = "%t"
Fri Nov 13 09:19:57 2009 : Debug:       detailperm = 384
Fri Nov 13 09:19:57 2009 : Debug:       dirperm = 493
Fri Nov 13 09:19:57 2009 : Debug:       locking = yes
Fri Nov 13 09:19:57 2009 : Debug:       log_packet_header = no
Fri Nov 13 09:19:57 2009 : Debug:   }

Fri Nov 13 09:19:57 2009 : Debug: including configuration file 
/etc/raddb/sites-enabled/copy-acct-to-radius01
Fri Nov 13 09:19:57 2009 : Debug: including configuration file 
/etc/raddb/sites-enabled/copy-acct-to-home-server

Fri Nov 13 09:19:57 2009 : Debug: server copy-acct-to-radius01 {
Fri Nov 13 09:19:57 2009 : Debug:  modules {

Fri Nov 13 09:19:57 2009 : Debug:  Module: Checking preacct {...} for 
more modules to load
Fri Nov 13 09:19:57 2009 : Debug:     (Loaded rlm_realm, checking if 
it's valid)

Fri Nov 13 09:19:57 2009 : Debug:  Module: Linked to module rlm_realm
Fri Nov 13 09:19:57 2009 : Debug:  Module: Instantiating suffix
Fri Nov 13 09:19:57 2009 : Debug:   realm suffix {
Fri Nov 13 09:19:57 2009 : Debug:       format = "suffix"
Fri Nov 13 09:19:57 2009 : Debug:       delimiter = "@"
Fri Nov 13 09:19:57 2009 : Debug:       ignore_default = no
Fri Nov 13 09:19:57 2009 : Debug:       ignore_null = no
Fri Nov 13 09:19:57 2009 : Debug:   }

Fri Nov 13 09:19:57 2009 : Debug:  Module: Checking accounting {...} for 
more modules to load

Fri Nov 13 09:19:57 2009 : Debug:  } # modules
Fri Nov 13 09:19:57 2009 : Debug: } # server
Fri Nov 13 09:19:57 2009 : Debug: server copy-acct-to-home-server {
Fri Nov 13 09:19:57 2009 : Debug:  modules {

Fri Nov 13 09:19:57 2009 : Debug:  Module: Checking preacct {...} for 
more modules to load
Fri Nov 13 09:19:57 2009 : Debug:  Module: Checking accounting {...} for 
more modules to load

Fri Nov 13 09:19:57 2009 : Debug:  } # modules
Fri Nov 13 09:19:57 2009 : Debug: } # server

Fri Nov 13 09:19:57 2009 : Debug: Listening on detail file 
/var/log/radius/radacct/detail-combined2 as server copy-acct-to-radius01
Fri Nov 13 09:19:57 2009 : Debug: Listening on detail file 
/var/log/radius/radacct/detail-combined as server copy-acct-to-home-server
Fri Nov 13 09:19:58 2009 : Debug: Polling for detail file 
/var/log/radius/radacct/detail-combined2
Fri Nov 13 09:19:58 2009 : Debug: Polling for detail file 
/var/log/radius/radacct/detail-combined
rad_recv: Accounting-Request packet from host xxx.xxx.xxx.xxx port 
40660, id=2, length=273

       User-Name = "u...@realm"
Fri Nov 13 09:19:59 2009 : Info: +- entering group preacct {...}
Fri Nov 13 09:19:59 2009 : Info: ++[preprocess] returns ok
Fri Nov 13 09:19:59 2009 : Info: +- entering group accounting {...}

Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay]     expand: 
/var/log/radius/radacct/detail-combined -> 
/var/log/radius/radacct/detail-combined
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay] 
/var/log/radius/radacct/detail-combined expands to 
/var/log/radius/radacct/detail-combined
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay] Acquired filelock, 
tried 1 time(s)
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay]     expand: %t -> Fri 
Nov 13 09:19:59 2009

Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay] Released filelock
Fri Nov 13 09:19:59 2009 : Info: ++[detail-radrelay] returns ok

Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay2]     expand: 
/var/log/radius/radacct/detail-combined2 -> 
/var/log/radius/radacct/detail-combined2
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay2] 
/var/log/radius/radacct/detail-combined2 expands to 
/var/log/radius/radacct/detail-combined2
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay2] Acquired filelock, 
tried 1 time(s)
Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay2]     expand: %t -> 
Fri Nov 13 09:19:59 2009

Fri Nov 13 09:19:59 2009 : Info: [detail-radrelay2] Released filelock
Fri Nov 13 09:19:59 2009 : Info: ++[detail-radrelay2] returns ok
Sending Accounting-Response of id 2 to xxx.xxx.xxx.xxx port 40660
       Proxy-State = 0x313433
Fri Nov 13 09:19:59 2009 : Info: Finished request 0.

Fri Nov 13 09:19:59 2009 : Info: Cleaning up request 0 ID 2 with 
timestamp +2

Fri Nov 13 09:19:59 2009 : Debug: Going to the next request



So by this point the request has been written to both detail-combined 
files, excellent. Now:



Fri Nov 13 09:19:59 2009 : Debug: Waking up in 0.3 seconds.

Fri Nov 13 09:19:59 2009 : Debug: Polling for detail file 
/var/log/radius/radacct/detail-combined
Fri Nov 13 09:19:59 2009 : Debug: detail_recv: Renaming 
/var/log/radius/radacct/detail-combined -> 
/var/log/radius/radacct/detail-combined.work

detail_recv: Read packet from /var/log/radius/radacct/detail-combined.work
       User-Name = "u...@realm"
Fri Nov 13 09:19:59 2009 : Info: server copy-acct-to-server-A {
Fri Nov 13 09:19:59 2009 : Info: +- entering group preacct {...}

Fri Nov 13 09:19:59 2009 : Info: [suffix] Looking up realm "realm" for 
User-Name = "u...@realm"

Fri Nov 13 09:19:59 2009 : Info: [suffix] Found realm "DEFAULT"
Fri Nov 13 09:19:59 2009 : Info: [suffix] Adding Realm = "DEFAULT"

Fri Nov 13 09:19:59 2009 : Info: [suffix] Proxying request from user 
user to realm DEFAULT
Fri Nov 13 09:19:59 2009 : Info: [suffix] Preparing to proxy accounting 
request to realm "DEFAULT"

Fri Nov 13 09:19:59 2009 : Info: ++[suffix] returns updated
Fri Nov 13 09:19:59 2009 : Info: +- entering group accounting {...}
Fri Nov 13 09:19:59 2009 : Info: ++[ok] returns ok
Fri Nov 13 09:19:59 2009 : Info: } # server copy-acct-to-server-A

Fri Nov 13 09:19:59 2009 : Info:   WARNING: Empty section.  Using 
default return values.
Sending Accounting-Request of id 121 to ip_address_of_server_A port 1813 
       User-Name = "u...@realm"
Fri Nov 13 09:19:59 2009 : Info: Proxying request 2 to home server 
server_ip_A port 1813
Sending Accounting-Request of id 121 to ip_address_of_server_A port 1813 
       User-Name = "u...@realm"
rad_recv: Accounting-Response packet from host ip_address_of_server_A 
port 1813, id=121, length=32

       Proxy-State = 0x313438
       Proxy-State = 0x3137383533


Ok so sending to server A worked correctly. Now:


Fri Nov 13 09:19:59 2009 : Debug: Waking up in 0.3 seconds.

Fri Nov 13 09:19:59 2009 : Debug: Polling for detail file 
/var/log/radius/radacct/detail-combined2
Fri Nov 13 09:19:59 2009 : Debug: detail_recv: Renaming 
/var/log/radius/radacct/detail-combined2 -> 
/var/log/radius/radacct/detail-combined2.work

detail_recv: Read packet from /var/log/radius/radacct/detail-combined2.work
       User-Name = "u...@realm"
Fri Nov 13 09:19:59 2009 : Info: server copy-acct-to-server-B {
Fri Nov 13 09:19:59 2009 : Info: +- entering group preacct {...}

Fri Nov 13 09:19:59 2009 : Info: [suffix] Looking up realm "realm" for 
User-Name = "u...@realm"

Fri Nov 13 09:19:59 2009 : Info: [suffix] Found realm "DEFAULT"
Fri Nov 13 09:19:59 2009 : Info: [suffix] Adding Realm = "DEFAULT"

Fri Nov 13 09:19:59 2009 : Info: [suffix] Proxying request from user 
user to realm DEFAULT
Fri Nov 13 09:19:59 2009 : Info: [suffix] Preparing to proxy accounting 
request to realm "DEFAULT"

Fri Nov 13 09:19:59 2009 : Info: ++[suffix] returns updated
Fri Nov 13 09:19:59 2009 : Info: +- entering group accounting {...}
Fri Nov 13 09:19:59 2009 : Info: ++[ok] returns ok
Fri Nov 13 09:19:59 2009 : Info: } # server copy-acct-to-server-B

Fri Nov 13 09:19:59 2009 : Info:   WARNING: Empty section.  Using 
default return values.
Sending Accounting-Request of id 121 to ip_address_of_server_A port 1813 




You can see from the line above that it is sending this request to 
server A as well. This is where Im getting stuck :(


Any pointers, suggestions, examples appreciated as always.

Thanks again,
Patric











Craig Campbell wrote:

Re:  "Do I need a second site-enable/copy-acct-to-home-server1 file 
that reads from a different detail file?"


As far as I can tell (and have done) - Yes, you do.

Cheers,
-craig

----- Original Message ----- From: "Patric" <[email protected]>

To: "FreeRadius users mailing list" 
<[email protected]>

Sent: Thursday, November 12, 2009 9:50 AM
Subject: Proxy to multiple servers in FR 2.1.7



Hi again all :)

I am attempting to proxy all accounting packets to 2 servers.
In my proxy.conf I am using a default realm.

realm DEFAULT {
        acct_pool       = my_acct_failover
        nostrip
}


I create a home_server entry for each server, and add them to the 
home_server_pool for that realm:


home_server copy-acct-to-home-server {
}

home_server copy-acct-to-home-server2 {
}

home_server_pool my_acct_failover {
        home_server = copy-acct-to-home-server
        home_server = copy-acct-to-home-server2
}


If I have site-enable/copy-acct-to-home-server it then appears to 
work in a fail-over method, where it will send to the first server 
until it is not reachable, then it sends to the second server.



Is there a way I can configure this to send to both at once? Do I 
need a second site-enable/copy-acct-to-home-server1 file that reads 
from a different detail file?



I am using the default realm so I dont know how to setup a second 
home_server_pool either...


Any help is much appreciated, Im going in circles :)
Many thanks
Patric
-

List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



__________ Information from ESET Smart Security, version of virus 
signature database 4600 (20091112) __________


The message was checked by ESET Smart Security.

http://www.eset.com







__________ Information from ESET Smart Security, version of virus 
signature database 4600 (20091112) __________


The message was checked by ESET Smart Security.

http://www.eset.com



-

List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to