[RADIATOR] 100% load 1 cpu core
Hello List! After installing Radiator on the test server, I got a problem with the 100% load 1 CPU core but the others are unused. Screenshot http://i.imgur.com/eQjK5k8.png radius.cfg # Listen for addresses using default ports BindAddress ::,0.0.0.0 #BindV6Only AuthPort1645,1820 AcctPort1646,1821 # Uncomment these for foreground debugging #Foreground #LogStdout Userradiator Group radiator DbDir /etc/radiator DictionaryFile /etc/radiator/dictionary LogDir /var/log/radiator LogFile %L/radiator-log-%Y-%m PidFile /var/run/radiator/radiusd.pid # Dont turn this up too high, since all log messages are logged # to the RADMESSAGES table in the database. 3 will give you everything # except debugging messages Trace 2 # You will probably want to change this to suit your site. # You should list all the clients you have, and their secrets # If you are using the Radmin Clients table, you wil probably # want to disable this. Identifier Client-DEFAULT Secret 12345 DupInterval 0 RejectHasReason Host 192.168.144.3 Secret 12345 AuthPort 1820 AcctPort 1821 RejectHasReason -- With regards, Alexander Yakunin ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] RADIUS Proxy for Auth Request on > 1 RADIUS servers
Hello Hugh. I found your script in mailing list. http://www.open.com.au/pipermail/radiator/2010-March/016160.html It work for me. Thank for help! 2016-01-18 16:33 GMT+03:00 SinTeZ Wh1te <sintezwh...@gmail.com>: > Hello Hugh. > > Second AuthBy clause not send reply to NAS. > > radius.cfg > --- > > Identifier Primary > Host 10.0.6.151 > Secret 123456 > AuthPort 1812 > AcctPort 1813 > ReplyHook file:"/etc/radiator/AccessReject" > > > > Identifier Secondary > Host 10.0.6.152 > Secret 123456 > AuthPort 1812 > AcctPort 1813 > > > > AuthBy Primary > > --- > > /etc/radiator/AccessReject > > sub > { > my $p = ${$_[0]}; # proxy reply packet > my $rp = ${$_[1]}; # reply packet to NAS > my $op = ${$_[2]}; # original request packet > my $sp = ${$_[3]}; # packet sent to proxy > my $code = $p->code; > return unless $code eq 'Access-Reject'; > if($code eq 'Access-Reject'){ > my $authby = Radius::AuthGeneric::find('Secondary'); > if (defined $authby) > { > my ($rc, $reason) = $authby->handle_request($op, $rp); > if ($rc == 2) > { > $op->{RadiusResult} = $main::IGNORE; > } > } > return; > } > } > - > > > #tshark -i eth0 port 1812 -w /opt/radius.pcap > > Screenshot Wireshark > > http://i.imgur.com/StKAJ18.png > > 10.0.6.13 - NAS > 10.0.6.150 - Radiator > 10.0.6.151 - Primary RADIUS > 10.0.6.152 - Secondary RADIUS > > After 10.0.6.152 send Access-Accept - Radiator does nothing. > > > 2016-01-18 13:29 GMT+03:00 Hugh Irvine <h...@open.com.au>: > >> >> Hello - >> >> You don’t have to do anything - the second AuthBy RADIUS clause will send >> the reply to the NAS. >> >> If you want to do more than that you will also need a ReplyHook in the >> second AuthBy RADIUS clause. >> >> regards >> >> Hugh >> >> >> > On 18 Jan 2016, at 18:15, SinTeZ Wh1te <sintezwh...@gmail.com> wrote: >> > >> > Hello Hugh! >> > >> > > Again note that your hook code will not see the result of the second >> AuthBy RADIUS clause. >> > >> > If hook code not see result how can I check that I received in reply >> from second RADIUS server? >> > >> > What is necessary my boss. >> > 1) NAS send Access-Request to Radiator >> > 2) Radiator re-send Access-Request to primary RADIUS server >> > 3) If primary server reply Access-Reject with attribute Reply-Message = >> 1, Radiator re-send Access-Request to secondary RADIUS server. If >> Reply-Message > 1 - send Access-Reject to NAS. >> > 4) After secondary server reply - Radiator send reply to NAS >> > >> > Reply hook does it? >> > >> > 2016-01-15 1:42 GMT+03:00 Hugh Irvine <h...@open.com.au>: >> > >> > Hello - >> > >> > The first thing to understand is that the AuthBy RADIUS clause(s) >> operate asynchronously. >> > >> > The hook code in your first AuthBy RADIUS clause will only execute when >> the response is received for that clause. >> > >> > When the hook code calls the second AuthBy RADIUS clause it will exit >> without waiting. >> > >> > As shown in the example, your hook code needs to alter the response. >> > >> > In this case you would change the response to IGNORE which will allow >> the second AuthBy RADIUS clause to execute and return its result. >> > >> > >> > ….. >> > >> > $op->{RadiusResult} = $main::IGNORE; >> > >> > ….. >> > >> > Again note that your hook code will not see the result of the second >> AuthBy RADIUS clause. >> > >> > hope that helps >> > >> > regards >> > >> > Hugh >> > >> > >> > > On 14 Jan 2016, at 23:34, SinTeZ Wh1te <sintezwh...@gmail.com> wrote: >> > > >> > > Thank Hugh and Heikki!!! >> > > >> > > How can I get RADIUS reply packet from secondary server in hook >> script??? >> > > Radiator send Access-Reject before secondary server reply. >> > > >> > > >> > > radius.cfg >> > > ... >> > > >> > > Identifier Primary >> > > Host 10.0.6.151 >> > > Secret 123456 >> > > AuthPort 1812 >> > > AcctPort 1813 >> > > ReplyHook fi
Re: [RADIATOR] RADIUS Proxy for Auth Request on > 1 RADIUS servers
Hello Hugh! > Again note that your hook code will not see the result of the second AuthBy RADIUS clause. If hook code not see result how can I check that I received in reply from second RADIUS server? What is necessary my boss. 1) NAS send Access-Request to Radiator 2) Radiator re-send Access-Request to primary RADIUS server 3) If primary server reply Access-Reject with attribute Reply-Message = 1, Radiator re-send Access-Request to secondary RADIUS server. If Reply-Message > 1 - send Access-Reject to NAS. 4) After secondary server reply - Radiator send reply to NAS Reply hook does it? 2016-01-15 1:42 GMT+03:00 Hugh Irvine <h...@open.com.au>: > > Hello - > > The first thing to understand is that the AuthBy RADIUS clause(s) operate > asynchronously. > > The hook code in your first AuthBy RADIUS clause will only execute when > the response is received for that clause. > > When the hook code calls the second AuthBy RADIUS clause it will exit > without waiting. > > As shown in the example, your hook code needs to alter the response. > > In this case you would change the response to IGNORE which will allow the > second AuthBy RADIUS clause to execute and return its result. > > > ….. > > $op->{RadiusResult} = $main::IGNORE; > > ….. > > Again note that your hook code will not see the result of the second > AuthBy RADIUS clause. > > hope that helps > > regards > > Hugh > > > > On 14 Jan 2016, at 23:34, SinTeZ Wh1te <sintezwh...@gmail.com> wrote: > > > > Thank Hugh and Heikki!!! > > > > How can I get RADIUS reply packet from secondary server in hook script??? > > Radiator send Access-Reject before secondary server reply. > > > > > > radius.cfg > > ... > > > > Identifier Primary > > Host 10.0.6.151 > > Secret 123456 > > AuthPort 1812 > > AcctPort 1813 > > ReplyHook file:"/etc/radiator/AccessReject" > > > > > > > > Identifier Secondary > > Host 10.0.6.152 > > Secret 123456 > > AuthPort 1812 > > AcctPort 1813 > > > > > > > > AuthBy Primary > > > > ... > > > > > > /etc/radiator/AccessReject > > ... > > sub > > { > > my $p = ${$_[0]}; # proxy reply packet > > my $rp = ${$_[1]};# reply packet to NAS > > my $op = ${$_[2]};# original request packet > > my $sp = ${$_[3]};# packet sent to proxy > > > > my $code = $p->code; > > ::log($main::LOG_DEBUG, "Code = $code"); > > return unless $code eq 'Access-Reject'; > > > > if($code eq 'Access-Reject'){ > > my $authby = Radius::AuthGeneric::find('Secondary'); > > if (defined $authby) > > { > > ::log($main::LOG_DEBUG, "= > HANDLE_REQUEST==="); > > my ($rc, $reason) = $authby->handle_request($op, > $rp); > > ::log($main::LOG_DEBUG, "= RC > === $rc"); > > ::log($main::LOG_DEBUG, "= REASON > === $reason"); > > if ($rc == 2) > > { > > ::log($main::LOG_DEBUG, "= > ACCEPT ==="); > > } > > else > > { > > ::log($main::LOG_DEBUG, "= > REJECT ==="); > > } > > } > > return; > > } > > } > > ... > > > > radiator log > > --- > > Thu Jan 14 15:22:08 2016: DEBUG: Packet dump: > > *** Received from 10.0.6.13 port 57565 > > Code: Access-Request > > Identifier: 0 > > Authentic:1452774130 > > Attributes: > > User-Name = "testcoa10" > > User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3 > > NAS-IP-Address = 10.0.6.13 > > NAS-Port = 1 > > NAS-Port-Id = "123" > > Service-Type = Framed-User > > Framed-Protocol = PPP > > Acct-Session-Id = "1" > > Calling-Station-Id = "0800.2727.0575" > > > > Thu Jan 14 15:22:08 2016: DEBUG
Re: [RADIATOR] RADIUS Proxy for Auth Request on > 1 RADIUS servers
Thank Hugh and Heikki!!! How can I get RADIUS reply packet from secondary server in hook script??? Radiator send Access-Reject before secondary server reply. radius.cfg ... Identifier Primary Host 10.0.6.151 Secret 123456 AuthPort 1812 AcctPort 1813 ReplyHook file:"/etc/radiator/AccessReject" Identifier Secondary Host 10.0.6.152 Secret 123456 AuthPort 1812 AcctPort 1813 AuthBy Primary ... /etc/radiator/AccessReject ... sub { my $p = ${$_[0]}; # proxy reply packet my $rp = ${$_[1]}; # reply packet to NAS my $op = ${$_[2]}; # original request packet my $sp = ${$_[3]}; # packet sent to proxy my $code = $p->code; ::log($main::LOG_DEBUG, "Code = $code"); return unless $code eq 'Access-Reject'; if($code eq 'Access-Reject'){ my $authby = Radius::AuthGeneric::find('Secondary'); if (defined $authby) { ::log($main::LOG_DEBUG, "= HANDLE_REQUEST==="); my ($rc, $reason) = $authby->handle_request($op, $rp); ::log($main::LOG_DEBUG, "= RC === $rc"); ::log($main::LOG_DEBUG, "= REASON === $reason"); if ($rc == 2) { ::log($main::LOG_DEBUG, "= ACCEPT ==="); } else { ::log($main::LOG_DEBUG, "= REJECT ==="); } } return; } } ... radiator log --- Thu Jan 14 15:22:08 2016: DEBUG: Packet dump: *** Received from 10.0.6.13 port 57565 Code: Access-Request Identifier: 0 Authentic:1452774130 Attributes: User-Name = "testcoa10" User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3 NAS-IP-Address = 10.0.6.13 NAS-Port = 1 NAS-Port-Id = "123" Service-Type = Framed-User Framed-Protocol = PPP Acct-Session-Id = "1" Calling-Station-Id = "0800.2727.0575" Thu Jan 14 15:22:08 2016: DEBUG: Handling request with Handler '', Identifier '' Thu Jan 14 15:22:08 2016: DEBUG: Deleting session for testcoa10, 10.0.6.13, 1 Thu Jan 14 15:22:08 2016: DEBUG: Handling with Radius::AuthRADIUS Thu Jan 14 15:22:08 2016: DEBUG: AuthBy RADIUS creates new local socket ' 0.0.0.0:0' for sending requests Thu Jan 14 15:22:08 2016: DEBUG: Packet dump: *** Sending to 10.0.6.151 port 1812 Code: Access-Request Identifier: 1 Authentic:1452774130 Attributes: User-Name = "testcoa10" User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3 NAS-IP-Address = 10.0.6.13 NAS-Port = 1 NAS-Port-Id = "123" Service-Type = Framed-User Framed-Protocol = PPP Acct-Session-Id = "1" Calling-Station-Id = "0800.2727.0575" Thu Jan 14 15:22:08 2016: DEBUG: AuthBy RADIUS result: IGNORE, Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req 1 from 10.0.6.151:1812 Thu Jan 14 15:22:09 2016: DEBUG: Packet dump: *** Received from 10.0.6.151 port 1812 Code: Access-Reject Identifier: 1 Authentic: <155><2><181><187><19>'<218><220>tK[\<224><137>,<194> Attributes: Reply-Message = "1" Thu Jan 14 15:22:09 2016: DEBUG: Code = Access-Reject Thu Jan 14 15:22:09 2016: DEBUG: = HANDLE_REQUEST=== Thu Jan 14 15:22:09 2016: DEBUG: Handling with Radius::AuthRADIUS Thu Jan 14 15:22:09 2016: DEBUG: Packet dump: *** Sending to 10.0.6.152 port 1812 Code: Access-Request Identifier: 1 Authentic:1452774130 Attributes: User-Name = "testcoa10" User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3 NAS-IP-Address = 10.0.6.13 NAS-Port = 1 NAS-Port-Id = "123" Service-Type = Framed-User Framed-Protocol = PPP Acct-Session-Id = "1" Calling-Station-Id = "0800.2727.0575" Thu Jan 14 15:22:09 2016: DEBUG: = RC === 2 Thu Jan 14 15:22:09 2016: DEBUG: = REASON === Thu Jan 14 15:22:09 2016: DEBUG: = ACCEPT === Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: 1 Thu Jan 14 15:22:09 2016: DEBUG: Packet dump: *** Sending to 10.0.6.13 port 57565 Code: Access-Reject Identifier: 0 Authentic: <175><159>4<197>i<159><11><252>}<247><174>[Cn<138><3> Attributes: Reply-Message = "Request Denied" Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req 1 from 10.0.6.152:1812 Thu Jan 14 15:22:09 2016: DEBUG: Packet dump: *** Received from 10.0.6.152 port 1812 Code: Access-Accept Identifier: 1 Authentic: T<10><218>9<16>F<167>A<168><127><187><20><9>!Q<127> Attributes: Acct-Interim-Interval = 300 Framed-IP-Address = 192.168.0.203 Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: Proxied Thu Jan 14 15:22:09 2016: DEBUG: Packet dump: *** Send
[RADIATOR] RADIUS Proxy for Auth Request on > 1 RADIUS servers
Hello! I want to do if it's possible to proxy auth request in a redundant fashion. On each requests, I want to proxy it to a primary server, if it's success then move on. If the auth fails (Access-Reject), I need to proxy Access-Request to a secondary server Is it possible? Thanks! ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator