[RADIATOR] 100% load 1 cpu core
Hello List! After installing Radiator on the test server, I got a problem with the 100% load 1 CPU core but the others are unused. Screenshot http://i.imgur.com/eQjK5k8.png radius.cfg # Listen for addresses using default ports BindAddress ::,0.0.0.0 #BindV6Only AuthPort1645,1820 AcctPort1646,1821 # Uncomment these for foreground debugging #Foreground #LogStdout Userradiator Group radiator DbDir /etc/radiator DictionaryFile /etc/radiator/dictionary LogDir /var/log/radiator LogFile %L/radiator-log-%Y-%m PidFile /var/run/radiator/radiusd.pid # Dont turn this up too high, since all log messages are logged # to the RADMESSAGES table in the database. 3 will give you everything # except debugging messages Trace 2 # You will probably want to change this to suit your site. # You should list all the clients you have, and their secrets # If you are using the Radmin Clients table, you wil probably # want to disable this. Identifier Client-DEFAULT Secret 12345 DupInterval 0 RejectHasReason Host 192.168.144.3 Secret 12345 AuthPort 1820 AcctPort 1821 RejectHasReason -- With regards, Alexander Yakunin ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] RADIUS Proxy for Auth Request on > 1 RADIUS servers
Hello Hugh.
I found your script in mailing list.
http://www.open.com.au/pipermail/radiator/2010-March/016160.html
It work for me.
Thank for help!
2016-01-18 16:33 GMT+03:00 SinTeZ Wh1te <sintezwh...@gmail.com>:
> Hello Hugh.
>
> Second AuthBy clause not send reply to NAS.
>
> radius.cfg
> ---
>
> Identifier Primary
> Host 10.0.6.151
> Secret 123456
> AuthPort 1812
> AcctPort 1813
> ReplyHook file:"/etc/radiator/AccessReject"
>
>
>
> Identifier Secondary
> Host 10.0.6.152
> Secret 123456
> AuthPort 1812
> AcctPort 1813
>
>
>
> AuthBy Primary
>
> ---
>
> /etc/radiator/AccessReject
>
> sub
> {
> my $p = ${$_[0]}; # proxy reply packet
> my $rp = ${$_[1]}; # reply packet to NAS
> my $op = ${$_[2]}; # original request packet
> my $sp = ${$_[3]}; # packet sent to proxy
> my $code = $p->code;
> return unless $code eq 'Access-Reject';
> if($code eq 'Access-Reject'){
> my $authby = Radius::AuthGeneric::find('Secondary');
> if (defined $authby)
> {
> my ($rc, $reason) = $authby->handle_request($op, $rp);
> if ($rc == 2)
> {
> $op->{RadiusResult} = $main::IGNORE;
> }
> }
> return;
> }
> }
> -
>
>
> #tshark -i eth0 port 1812 -w /opt/radius.pcap
>
> Screenshot Wireshark
>
> http://i.imgur.com/StKAJ18.png
>
> 10.0.6.13 - NAS
> 10.0.6.150 - Radiator
> 10.0.6.151 - Primary RADIUS
> 10.0.6.152 - Secondary RADIUS
>
> After 10.0.6.152 send Access-Accept - Radiator does nothing.
>
>
> 2016-01-18 13:29 GMT+03:00 Hugh Irvine <h...@open.com.au>:
>
>>
>> Hello -
>>
>> You don’t have to do anything - the second AuthBy RADIUS clause will send
>> the reply to the NAS.
>>
>> If you want to do more than that you will also need a ReplyHook in the
>> second AuthBy RADIUS clause.
>>
>> regards
>>
>> Hugh
>>
>>
>> > On 18 Jan 2016, at 18:15, SinTeZ Wh1te <sintezwh...@gmail.com> wrote:
>> >
>> > Hello Hugh!
>> >
>> > > Again note that your hook code will not see the result of the second
>> AuthBy RADIUS clause.
>> >
>> > If hook code not see result how can I check that I received in reply
>> from second RADIUS server?
>> >
>> > What is necessary my boss.
>> > 1) NAS send Access-Request to Radiator
>> > 2) Radiator re-send Access-Request to primary RADIUS server
>> > 3) If primary server reply Access-Reject with attribute Reply-Message =
>> 1, Radiator re-send Access-Request to secondary RADIUS server. If
>> Reply-Message > 1 - send Access-Reject to NAS.
>> > 4) After secondary server reply - Radiator send reply to NAS
>> >
>> > Reply hook does it?
>> >
>> > 2016-01-15 1:42 GMT+03:00 Hugh Irvine <h...@open.com.au>:
>> >
>> > Hello -
>> >
>> > The first thing to understand is that the AuthBy RADIUS clause(s)
>> operate asynchronously.
>> >
>> > The hook code in your first AuthBy RADIUS clause will only execute when
>> the response is received for that clause.
>> >
>> > When the hook code calls the second AuthBy RADIUS clause it will exit
>> without waiting.
>> >
>> > As shown in the example, your hook code needs to alter the response.
>> >
>> > In this case you would change the response to IGNORE which will allow
>> the second AuthBy RADIUS clause to execute and return its result.
>> >
>> >
>> > …..
>> >
>> > $op->{RadiusResult} = $main::IGNORE;
>> >
>> > …..
>> >
>> > Again note that your hook code will not see the result of the second
>> AuthBy RADIUS clause.
>> >
>> > hope that helps
>> >
>> > regards
>> >
>> > Hugh
>> >
>> >
>> > > On 14 Jan 2016, at 23:34, SinTeZ Wh1te <sintezwh...@gmail.com> wrote:
>> > >
>> > > Thank Hugh and Heikki!!!
>> > >
>> > > How can I get RADIUS reply packet from secondary server in hook
>> script???
>> > > Radiator send Access-Reject before secondary server reply.
>> > >
>> > >
>> > > radius.cfg
>> > > ...
>> > >
>> > > Identifier Primary
>> > > Host 10.0.6.151
>> > > Secret 123456
>> > > AuthPort 1812
>> > > AcctPort 1813
>> > > ReplyHook fi
Re: [RADIATOR] RADIUS Proxy for Auth Request on > 1 RADIUS servers
Hello Hugh!
> Again note that your hook code will not see the result of the second
AuthBy RADIUS clause.
If hook code not see result how can I check that I received in reply from
second RADIUS server?
What is necessary my boss.
1) NAS send Access-Request to Radiator
2) Radiator re-send Access-Request to primary RADIUS server
3) If primary server reply Access-Reject with attribute Reply-Message = 1,
Radiator re-send Access-Request to secondary RADIUS server. If
Reply-Message > 1 - send Access-Reject to NAS.
4) After secondary server reply - Radiator send reply to NAS
Reply hook does it?
2016-01-15 1:42 GMT+03:00 Hugh Irvine <h...@open.com.au>:
>
> Hello -
>
> The first thing to understand is that the AuthBy RADIUS clause(s) operate
> asynchronously.
>
> The hook code in your first AuthBy RADIUS clause will only execute when
> the response is received for that clause.
>
> When the hook code calls the second AuthBy RADIUS clause it will exit
> without waiting.
>
> As shown in the example, your hook code needs to alter the response.
>
> In this case you would change the response to IGNORE which will allow the
> second AuthBy RADIUS clause to execute and return its result.
>
>
> …..
>
> $op->{RadiusResult} = $main::IGNORE;
>
> …..
>
> Again note that your hook code will not see the result of the second
> AuthBy RADIUS clause.
>
> hope that helps
>
> regards
>
> Hugh
>
>
> > On 14 Jan 2016, at 23:34, SinTeZ Wh1te <sintezwh...@gmail.com> wrote:
> >
> > Thank Hugh and Heikki!!!
> >
> > How can I get RADIUS reply packet from secondary server in hook script???
> > Radiator send Access-Reject before secondary server reply.
> >
> >
> > radius.cfg
> > ...
> >
> > Identifier Primary
> > Host 10.0.6.151
> > Secret 123456
> > AuthPort 1812
> > AcctPort 1813
> > ReplyHook file:"/etc/radiator/AccessReject"
> >
> >
> >
> > Identifier Secondary
> > Host 10.0.6.152
> > Secret 123456
> > AuthPort 1812
> > AcctPort 1813
> >
> >
> >
> > AuthBy Primary
> >
> > ...
> >
> >
> > /etc/radiator/AccessReject
> > ...
> > sub
> > {
> > my $p = ${$_[0]}; # proxy reply packet
> > my $rp = ${$_[1]};# reply packet to NAS
> > my $op = ${$_[2]};# original request packet
> > my $sp = ${$_[3]};# packet sent to proxy
> >
> > my $code = $p->code;
> > ::log($main::LOG_DEBUG, "Code = $code");
> > return unless $code eq 'Access-Reject';
> >
> > if($code eq 'Access-Reject'){
> > my $authby = Radius::AuthGeneric::find('Secondary');
> > if (defined $authby)
> > {
> > ::log($main::LOG_DEBUG, "=
> HANDLE_REQUEST===");
> > my ($rc, $reason) = $authby->handle_request($op,
> $rp);
> > ::log($main::LOG_DEBUG, "= RC
> === $rc");
> > ::log($main::LOG_DEBUG, "= REASON
> === $reason");
> > if ($rc == 2)
> > {
> > ::log($main::LOG_DEBUG, "=
> ACCEPT ===");
> > }
> > else
> > {
> > ::log($main::LOG_DEBUG, "=
> REJECT ===");
> > }
> > }
> > return;
> > }
> > }
> > ...
> >
> > radiator log
> > ---
> > Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:
> > *** Received from 10.0.6.13 port 57565
> > Code: Access-Request
> > Identifier: 0
> > Authentic:1452774130
> > Attributes:
> > User-Name = "testcoa10"
> > User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
> > NAS-IP-Address = 10.0.6.13
> > NAS-Port = 1
> > NAS-Port-Id = "123"
> > Service-Type = Framed-User
> > Framed-Protocol = PPP
> > Acct-Session-Id = "1"
> > Calling-Station-Id = "0800.2727.0575"
> >
> > Thu Jan 14 15:22:08 2016: DEBUG
Re: [RADIATOR] RADIUS Proxy for Auth Request on > 1 RADIUS servers
Thank Hugh and Heikki!!!
How can I get RADIUS reply packet from secondary server in hook script???
Radiator send Access-Reject before secondary server reply.
radius.cfg
...
Identifier Primary
Host 10.0.6.151
Secret 123456
AuthPort 1812
AcctPort 1813
ReplyHook file:"/etc/radiator/AccessReject"
Identifier Secondary
Host 10.0.6.152
Secret 123456
AuthPort 1812
AcctPort 1813
AuthBy Primary
...
/etc/radiator/AccessReject
...
sub
{
my $p = ${$_[0]}; # proxy reply packet
my $rp = ${$_[1]}; # reply packet to NAS
my $op = ${$_[2]}; # original request packet
my $sp = ${$_[3]}; # packet sent to proxy
my $code = $p->code;
::log($main::LOG_DEBUG, "Code = $code");
return unless $code eq 'Access-Reject';
if($code eq 'Access-Reject'){
my $authby = Radius::AuthGeneric::find('Secondary');
if (defined $authby)
{
::log($main::LOG_DEBUG, "= HANDLE_REQUEST===");
my ($rc, $reason) = $authby->handle_request($op, $rp);
::log($main::LOG_DEBUG, "= RC === $rc");
::log($main::LOG_DEBUG, "= REASON === $reason");
if ($rc == 2)
{
::log($main::LOG_DEBUG, "= ACCEPT ===");
}
else
{
::log($main::LOG_DEBUG, "= REJECT ===");
}
}
return;
}
}
...
radiator log
---
Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:
*** Received from 10.0.6.13 port 57565
Code: Access-Request
Identifier: 0
Authentic:1452774130
Attributes:
User-Name = "testcoa10"
User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
NAS-IP-Address = 10.0.6.13
NAS-Port = 1
NAS-Port-Id = "123"
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Session-Id = "1"
Calling-Station-Id = "0800.2727.0575"
Thu Jan 14 15:22:08 2016: DEBUG: Handling request with Handler '',
Identifier ''
Thu Jan 14 15:22:08 2016: DEBUG: Deleting session for testcoa10,
10.0.6.13, 1
Thu Jan 14 15:22:08 2016: DEBUG: Handling with Radius::AuthRADIUS
Thu Jan 14 15:22:08 2016: DEBUG: AuthBy RADIUS creates new local socket '
0.0.0.0:0' for sending requests
Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:
*** Sending to 10.0.6.151 port 1812
Code: Access-Request
Identifier: 1
Authentic:1452774130
Attributes:
User-Name = "testcoa10"
User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
NAS-IP-Address = 10.0.6.13
NAS-Port = 1
NAS-Port-Id = "123"
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Session-Id = "1"
Calling-Station-Id = "0800.2727.0575"
Thu Jan 14 15:22:08 2016: DEBUG: AuthBy RADIUS result: IGNORE,
Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req 1
from 10.0.6.151:1812
Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
*** Received from 10.0.6.151 port 1812
Code: Access-Reject
Identifier: 1
Authentic: <155><2><181><187><19>'<218><220>tK[\<224><137>,<194>
Attributes:
Reply-Message = "1"
Thu Jan 14 15:22:09 2016: DEBUG: Code = Access-Reject
Thu Jan 14 15:22:09 2016: DEBUG: = HANDLE_REQUEST===
Thu Jan 14 15:22:09 2016: DEBUG: Handling with Radius::AuthRADIUS
Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
*** Sending to 10.0.6.152 port 1812
Code: Access-Request
Identifier: 1
Authentic:1452774130
Attributes:
User-Name = "testcoa10"
User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
NAS-IP-Address = 10.0.6.13
NAS-Port = 1
NAS-Port-Id = "123"
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Session-Id = "1"
Calling-Station-Id = "0800.2727.0575"
Thu Jan 14 15:22:09 2016: DEBUG: = RC === 2
Thu Jan 14 15:22:09 2016: DEBUG: = REASON ===
Thu Jan 14 15:22:09 2016: DEBUG: = ACCEPT ===
Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: 1
Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
*** Sending to 10.0.6.13 port 57565
Code: Access-Reject
Identifier: 0
Authentic: <175><159>4<197>i<159><11><252>}<247><174>[Cn<138><3>
Attributes:
Reply-Message = "Request Denied"
Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req 1
from 10.0.6.152:1812
Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
*** Received from 10.0.6.152 port 1812
Code: Access-Accept
Identifier: 1
Authentic: T<10><218>9<16>F<167>A<168><127><187><20><9>!Q<127>
Attributes:
Acct-Interim-Interval = 300
Framed-IP-Address = 192.168.0.203
Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: Proxied
Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
*** Send
[RADIATOR] RADIUS Proxy for Auth Request on > 1 RADIUS servers
Hello! I want to do if it's possible to proxy auth request in a redundant fashion. On each requests, I want to proxy it to a primary server, if it's success then move on. If the auth fails (Access-Reject), I need to proxy Access-Request to a secondary server Is it possible? Thanks! ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
