rlm_perl issue
An interesting one for the list ... We are installing a Palo Alto firewall and it has a way to pass Username/IP mappings from FreeRADIUS to a Windows User ID Agent, which is then queried by the firewall. The method employed is to use a Perl module (PAN::API), which has a simple API, basically: $var = PAN::API::UID-new( ip of server ); $var-add( type login/logout, username, Framed-IP-Address ); $var-submit(); which is added in the sub preacct () of the perl module... then call this in preacct {} There are a couple of issues with this module that I am going to try and address: 1) Connections new only instantiates an empty object add adds the values to a hash submit opens an TCP SSL connection, sends the hash as XML, then closes the connection. With all the work being done in submit you have to create and tear down an SSL TCP connection for EVERY accounting record! Which is a lot at my site! 2) Errors If the socket set-up fails, the PAN::API module calls croak(), which on my system terminated FreeRADIUS, which seems like what would happen? Thu Aug 22 13:53:03 2013 : Error: rlm_perl: perl_embed:: module = /etc/raddb/perl.pl , func = preacct exit status= Unable to connect socket. at /etc/raddb/perl.pl line 474 Socket setup failed I am guessing because of all the open/close socket activity? Looks like the Windows 2008R2 server either blocked this as a suspected DOS or the agent failed to cope with this kind of TCP activity? Obviously for problem 1, a better model would be to implement new methods on the object to open and close the SSL connection, then use a pattern like: { # Static block start my $object = PAN::API::UID-new( IP ); $object-connectssl(); sub preacct { $object-add( params ); $object-submit(); } } closing the SSL would not be needed in effect as we run forever, and I wouldn't know where to place it as there is no function called on an rlm_perl module when FreeRADIUS is about to terminate, unless I am missing something. For problem 2, are there rules about what you should not do in an rlm_perl module? I would have thought exit(), die(), croak() etc are all bad and that returning quietly, optionally setting an error code, would be better? Then back in sub preacct () you could check the error and log with radiusd::radlog() and do a return RLM_MODULE_NOOP? Would you expect FreeRADIUS to terminate if an rlm_perl module called croak()? Anyone want to throw in 2 cents/pennies worth to this? Thanks in advance, as always, for your time ... Barry Dean Principal Programmer/Analyst Networks Team Computing Service Department - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl issue
On 22/08/13 16:46, Dean, Barry wrote: Anyone want to throw in 2 cents/pennies worth to this? Yep, don't do it like this. Instead, write the user/ip entries to a file using the linelog module, and use a long-running perl process to tail the file (using File::Tail) and post them to the PAN. This will likely be more performant and avoid the hassles of a random module interfering with FreeRADIUS. You probably want to write a timestamp to the file, and have the long-running process ignore lines X old, in case it lags behind e.g. because it hangs, gets shutdown and restarted much later, etc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl issue...
Hi all, I'm expiriencing strange behaviour of rlm_perl module causing freeradius be unable to start. Here is the output of `freeradius -X` (running on Debian Sarge i386, freeradius version 1.1.2): # freeradius -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/freeradius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/freeradius/freeradius.pid main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded perl perl: module = /root/bin/mymodule.pm perl: func_authorize = authorize perl: func_authenticate = authenticate perl: func_accounting = accounting perl: func_preacct = preacct perl: func_checksimul = checksimul perl: func_detach = detach perl: func_xlat = xlat perl: func_pre_proxy = pre_proxy perl: func_post_proxy = post_proxy perl: func_post_auth = post_auth perl: perl_flags = (null) perl: func_start_accounting = (null) perl: func_stop_accounting = (null) Can't load '/usr/lib/perl/5.8/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib/perl/5.8/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.8/XSLoader.pm line 68. at /usr/lib/perl/5.8/Data/Dumper.pm line 27 Compilation failed in require at /root/bin/mymodule.pm line 30. BEGIN failed--compilation aborted at /root/bin/mymodule.pm line 30. rlm_perl: perl_parse failed: /root/bin/mymodule.pm not found or has syntax errors. radiusd.conf[540]: perl: Module instantiation failed. radiusd.conf[1747] Unknown module perl. radiusd.conf[1746] Failed to parse authenticate section. If I comment out the use Data::Dumper; line, freeradius starts ok, but then it does not send any attributes back to the Cisco AS5300, but only Access-Accept (or Access-Reject). Are there any ideas where could be the problem with loading the Data::Dumper module (since I assume that not sending the attributes back is caused by commenting out the use Data::Dumper; line)? Thanks in advance. Sincerely, Nikola Pavkovic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl issue...
On Wednesday 12 July 2006 13:03, Nikola Pavkovic wrote: Hi all, I'm expiriencing strange behaviour of rlm_perl module causing freeradius be unable to start. Here is the output of `freeradius -X` (running on Debian Sarge i386, freeradius version 1.1.2): If I comment out the use Data::Dumper; line, freeradius starts ok, but then it does not send any attributes back to the Cisco AS5300, but only Access-Accept (or Access-Reject). Data::Dumper is used to dump data structures and have nothing to do with attributes send back from radius. See http://wiki.freeradius.org/index.php/Rlm_perl for more information. Are there any ideas where could be the problem with loading the Data::Dumper module (since I assume that not sending the attributes back is caused by commenting out the use Data::Dumper; line)? Thanks in advance. Sincerely, Nikola Pavkovic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl issue...
On Wed, Jul 12, 2006 at 01:34:52PM +0300, Boian Jordanov wrote: On Wednesday 12 July 2006 13:03, Nikola Pavkovic wrote: Hi all, ... Data::Dumper is used to dump data structures and have nothing to do with attributes send back from radius. See http://wiki.freeradius.org/index.php/Rlm_perl for more information. Boian, tnx for your reply. I will look at the configuration a little more and try to find out what is causing the problem. Sincerely, Nikola Pavkovic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html