An interesting one for the list ...
We are installing a Palo Alto firewall and it has a way to pass Username/IP
mappings from FreeRADIUS to a Windows "User ID Agent", which is then queried by
the firewall.
The method employed is to use a Perl module (PAN::API), which has a simple API,
basically:
$var = PAN::API::UID-new( "ip of server" );
$var->add( "type <login/logout>", username, Framed-IP-Address );
$var-submit();
which is added in the "sub preacct ()" of the perl module...
then call this in preacct {}
There are a couple of issues with this module that I am going to try and
address:
1) Connections
"new" only instantiates an empty object
"add" adds the values to a hash
"submit" opens an TCP SSL connection, sends the hash as XML, then
closes the connection.
With all the work being done in "submit" you have to create and tear down an
SSL TCP connection for EVERY accounting record! Which is a lot at my site!
2) Errors
If the socket set-up fails, the PAN::API module calls croak(), which on
my system terminated FreeRADIUS, which seems like what would happen?
Thu Aug 22 13:53:03 2013 : Error: rlm_perl: perl_embed:: module =
/etc/raddb/perl.pl , func = preacct exit status= Unable to connect socket. at
/etc/raddb/perl.pl line 474
Socket setup failed I am guessing because of all the open/close socket
activity? Looks like the Windows 2008R2 server either blocked this as a
suspected DOS or the agent failed to cope with this kind of TCP activity?
Obviously for problem 1, a better model would be to implement new methods on
the object to open and close the SSL connection, then use a pattern like:
{ # Static block start
my $object = PAN::API::UID->new( "<IP>" );
$object->connectssl();
sub preacct {
$object->add( <params> );
$object->submit();
}
}
closing the SSL would not be needed in effect as we run "forever", and I
wouldn't know where to place it as there is no function called on an rlm_perl
module when FreeRADIUS is about to terminate, unless I am missing something.
For problem 2, are there rules about what you should not do in an rlm_perl
module? I would have thought exit(), die(), croak() etc are all bad and that
returning quietly, optionally setting an error code, would be better? Then back
in "sub preacct ()" you could check the error and log with &radiusd::radlog()
and do a "return RLM_MODULE_NOOP"?
Would you expect FreeRADIUS to terminate if an rlm_perl module called croak()?
Anyone want to throw in 2 cents/pennies worth to this?
Thanks in advance, as always, for your time ...
--------------------------------------------------------
Barry Dean
Principal Programmer/Analyst
Networks Team
Computing Service Department
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
