RE: load balancing radius with F5 devices
Hi, Just to give some infos if I can help (this mailing has helped me a lot !) I have F5 BigIP devices in two 2 DCs. They have each a VirtualServer with a shared IP (not activated in VLANs used to communicate between the 2 DC to avoid IP conflits, a much simple config for NAS - only one IP address for server). Everything works fine with the following config : The Virtual Server ( IP is A.B.C.D has it's public for external DC ...) ltm virtual /Common/VS-RADIUS-AUTH { destination /Common/A.B.C.D:1812 ip-protocol udp mask 255.255.255.255 pool /Common/POOL-RADIUS-AUTH profiles { /Common/radiusLB { } /Common/udp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled vlans { [...] } vlans-enabled } The pool used : ltm pool /Common/POOL-RADIUS-AUTH { members { /Common/10.10.6.7:1812 { address 10.10.6.7 } /Common/10.20.6.3:1812 { address 10.20.6.3 } } monitor /Common/Radius-Auth } The monitor : ltm monitor radius /Common/Radius-Auth { debug no defaults-from /Common/radius destination *:* interval 30 nas-ip-address 10.16.81.11 password Monitor secret ** time-until-up 0 timeout 31 username radius@domain } Profile radiusLB is the following : ltm profile radius radiusLB { clients none persist-avp none } And one other not used but available in default config. ltm profile radius radiusLB-subscriber-aware { defaults-from radiusLB subscriber-aware enabled } If I look at pool statistics, each servers has equivalent volume of requests (48.1k against 48.2k). You could play with Priority Group depending location or failover architecture of Radius if you want Fabien VINCENT Ingénieur Réseaux Sécurité / ASSR Produits Niveau 3 - Infrastructure Produits fabien.vinc...@coreye.fr De : freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org [mailto:freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org] De la part de Michael Schwartzkopff Envoyé : mercredi 9 octobre 2013 11:17 À : FreeRadius users mailing list Objet : Re: load balancing radius with F5 devices Am Mittwoch, 9. Oktober 2013, 09:41:19 schrieb Alex Sharaz: Hi, Is anyone out there load balancing RADIUS with an F5 load balancer? We're doing it here, but I can't help thinking that the actual load balancing algorithm need some tweaking. As far as I'm aware ( systems section support the F5 boxes) 1). We're using round robin to spread the load over 2 back end radius servers. 2). There is some general sticky persistence so that once a RAS device starts talking to a particular back end server it continues to talk to that server for a predetermined length of time ( might be an hour, not sure). This ensures that an eap dialogue will always talk to the same back end server for the duration of the stuck time. Not sure what happens when you get to the end of the time interval though. According to the F5 statistics, overall radius traffic seems to be shared evenly over the 2 back end servers. However, our most heavily loaded RAS client is our wireless network. While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS clients. Looking at the back end server log files, it does look as if, in general, all wireless RADIUS auths head for the same back end server. I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. You would need to use application layer load balancing on the BigIPs. But I don't think that you can configure this on the BigIPs. The RADIUS protocol is stateless, so there is no criteria in the application that a load balancer could use to balance inside the application. Greetings, -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trying to do proxy using realm and 2 VS
Hi all, I'm currently working on a fresh FreeRadius 2.x install, in order to separate Radius auth for Administrators (Firewall, Routeurs Switchs administration) and Customers access (VPN SSL / IPSec). My first try was to rewrite all the config into virtual servers (previously, all was written into radiusd.conf :(). So what I did : [root@server /etc/raddb]$ ll sites-enabled/ total 0 lrwxrwxrwx. 1 root root 33 Mar 19 12:01 administrator - /etc/raddb/sites-available/administrator lrwxrwxrwx. 1 root root 43 Mar 26 18:16 customer - /etc/raddb/sites-available/coreye_customers This is my two VS : server administrator { # Authenticate / Authorize listener listen { ipaddr = * port = 1600 type = auth } # Accounting listener listen { ipaddr = * port = 1601 type = acct } [...] server customer { # Authenticate / Authorize listener listen { ipaddr = * port = 1602 type = auth } # Accounting listener listen { ipaddr = * port = 1603 type = acct } [...] And in order to proxy, I want to forward using proxy depending realm (proxy.conf) realm .*customer$ { virtual_server = customer } realm .*admin$ { virtual_server = administrator } realm NULL { virtual_server = administrator } But when logging into Radius, it works for VS Administrator (login admin or user@admin), but if I try using login@customer, it's never proxy to virtual server customer. I tried different methods always shown in the mailing list, but no way, it's never working ... Proxy to realm into authorize section : if (Realm == customer) { update control { Proxy-To-Realm := customer } } Not working ... The request is always managed by administrator vs. Always played using dynamic clients example and FreeRADIUS-Client-Virtual-Server = customer, but not working again. I suspect the problem located in my NAS MySQL table, where server column is forced to virtual server administrator Is anything I missed to do ? What's the best solution to do this kind of configuration when nas are stored in MySQL DB, and some of the nas clients could be used by different virtual servers ? What the is the best way to have a single radius IP server, and two different virtual servers with two different set of rules ? Thanks in advance for your help ! Fabien VINCENT http://www.coreye.frhttp://www.coreye.fr/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No such virtual server NULL
Hi all, Im using FreeRadius to authenticate admin users on Firewall / Load Balancer webui. Actually my configuration works well, but I just tried to had a new Load Balancer with Radius Auth, but Ive a strange message : Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.15.50.251 port 27705, id=236, length=94 User-Name = myuser User-Password = pass NAS-IP-Address = 10.10.10.10 NAS-Identifier = httpd NAS-Port = 26680 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = 192.168.0.1 server NULL { No such virtual server NULL Invalid user: [myuser] (from client NAS-SHORTNAME port 26680 cli 192.168.0.1) } # server NULL Using Post-Auth-Type Reject No such virtual server NULL Delaying reject of request 2 for 1 seconds Going to the next request What is this message ? No such virtual server NULL Why this works for existing configuration and adding a new NAS to sql database is giving this result ? Thanks in advance for your help ! Fabien VINCENT Ingénieur Réseaux Sécurité / ASSR Produits Niveau 3 - Infrastructure Produits mailto:fabien.vinc...@coreye.fr fabien.vinc...@coreye.fr smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No such virtual server NULL
-Message d'origine- De : freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org [mailto:freeradius-users-bounces+fabien.vincent=coreye.fr@lists.freeradius.o rg] De la part de Alan DeKok Envoyé : mardi 8 novembre 2011 14:37 À : FreeRadius users mailing list Objet : Re: No such virtual server NULL Vincent, Fabien wrote: What is this message ? No such virtual server NULL Why this works for existing configuration and adding a new NAS to sql database is giving this result ? Because you added the NAS in SQL, with the virtual server column containing the string NULL. Thanks, I've also modify my server default configuration to server mycompany and includes all my rules into this server configuration (and also change nas server value to mycompany). Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ce message a ete verifie par MailScanner. smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS in sql and returning specific VSAs
Hi all, I just tried using if(%Client-Type == 'cisco'){ Service-Type = NAS-Prompt-User cisco-avpair = shell:priv-lvl=15 } In section post-auth or authorize but it doesnt work. I have the following message : update sections cannot have subsections Is there any way to update the Attribute sent by the radius server when authenticate on a specific NAS / Client ? Regards, Fabien VINCENT Ingénieur Réseaux Sécurité / ASSR Produits Niveau 3 - Infrastructure Produits mailto:fabien.vinc...@coreye.fr fabien.vinc...@coreye.fr De : Vincent, Fabien Envoyé : lundi 7 novembre 2011 10:36 À : Vincent, Fabien; freeradius-users@lists.freeradius.org Objet : RE: NAS in sql and returning specific VSAs Sorry, CTRL+Enter is not a good keyboard on Monday Morning ;) So, I return to the NAS some VSAs depending LDAP Group like this : if (Ldap-Group == MyGroup) { update reply { # Rules for Cisco Routeurs Service-Type = NAS-Prompt-User cisco-avpair = shell:priv-lvl=15 # Rule for 3Com Access Service-Type += Login-User Login-Service += Telnet Login-Service += 3com-50 H3C-Exec_Privilege = 3 3Com-User-Access-Level = 3Com-Manager #AV-Pair for F5 BigIP LTM Access (see /usr/share/freeradius/dictionnary.f5) F5-LTM-User-Role = Manager F5-LTM-User-Info-1 = myGroup F5-LTM-User-Partition = Common F5-LTM-User-Shell = bpsh Etc . Is there any to check a NAS attribute to split replies, with sort of VSAs groups for each NAS type, in post-auth ? I have the following nas table : mysql describe nas; +-+--+--+-+---++ | Field | Type | Null | Key | Default | Extra | +-+--+--+-+---++ | id | int(10) | NO | PRI | NULL | auto_increment | | nasname | varchar(128) | NO | MUL | NULL || | shortname | varchar(32) | YES | | NULL || | type| varchar(30) | YES | | other || | ports | int(5) | YES | | NULL || | secret | varchar(60) | NO | | secret|| | server | varchar(64) | YES | | NULL || | community | varchar(50) | YES | | NULL || | description | varchar(200) | YES | | RADIUS Client || +-+--+--+-+---++ Thanks in advance for your help ! Fabien VINCENT Ingénieur Réseaux Sécurité / ASSR Produits Niveau 3 - Infrastructure Produits mailto:fabien.vinc...@coreye.fr fabien.vinc...@coreye.fr De : Vincent, Fabien Envoyé : lundi 7 novembre 2011 10:31 À : 'freeradius-users@lists.freeradius.org' Objet : NAS in sql and returning specific VSAs Hi all, I have one question about Free Radius and NAS in sql database. I return to the NAS some VSAs depending LDAP User-Group like this : Fabien VINCENT Ingénieur Réseaux Sécurité / ASSR Produits Niveau 3 - Infrastructure Produits mailto:fabien.vinc...@coreye.fr fabien.vinc...@coreye.fr smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS in sql and returning specific VSAs
For the solution, I did that : authorize { +update request { +FreeRADIUS-Client-NAS-Type = %{sql:SELECT type FROM nas WHERE nasname='%{Packet-Src-IP-Address}'} +} group { LDAP_COMPANY } And in the section post-auth, I did : + if (%{FreeRADIUS-Client-NAS-Type} == cisco) { + update reply { +Service-Type = NAS-Prompt-User +cisco-avpair = shell:priv-lvl=15 + } + } + elsif (%{FreeRADIUS-Client-NAS-Type} == bigip-ltm) { +update reply { + F5-LTM-User-Role = Administrator + F5-LTM-User-Info-1 = myuserinfo + F5-LTM-User-Partition = Common + F5-LTM-User-Shell = bpsh + } + } And this works ... Thanks for your help !!! Fabien VINCENT Ingénieur Réseaux Sécurité / ASSR Produits Niveau 3 - Infrastructure Produits fabien.vinc...@coreye.fr -Message d'origine- De : freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org [mailto:freeradius-users-bounces+fabien.vincent=coreye.fr@lists.freeradius.o rg] De la part de Alan Buxey Envoyé : mardi 8 novembre 2011 18:39 À : FreeRadius users mailing list Objet : Re: NAS in sql and returning specific VSAs Hi, Hi all, I just tried using if(%Client-Type == 'cisco'){ Service-Type = NAS-Prompt-User cisco-avpair = shell:priv-lvl=15 } if(%Client-Type == 'cisco'){ update reply { Service-Type = NAS-Prompt-User cisco-avpair = shell:priv-lvl=15 } } ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ce message a ete verifie par MailScanner. smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS in sql and returning specific VSAs
Hi all, I have one question about Free Radius and NAS in sql database. I return to the NAS some VSAs depending LDAP User-Group like this : Fabien VINCENT Ingénieur Réseaux Sécurité / ASSR Produits Niveau 3 - Infrastructure Produits mailto:fabien.vinc...@coreye.fr fabien.vinc...@coreye.fr coreye Parc de la Haute Borne 22, rue Hergé 59650 Villeneuve d'Ascq http://www.pictime.com/ www.pictime.com image001.jpg smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS in sql and returning specific VSAs
Sorry, CTRL+Enter is not a good keyboard on Monday Morning ;) So, I return to the NAS some VSAs depending LDAP Group like this : if (Ldap-Group == MyGroup) { update reply { # Rules for Cisco Routeurs Service-Type = NAS-Prompt-User cisco-avpair = shell:priv-lvl=15 # Rule for 3Com Access Service-Type += Login-User Login-Service += Telnet Login-Service += 3com-50 H3C-Exec_Privilege = 3 3Com-User-Access-Level = 3Com-Manager #AV-Pair for F5 BigIP LTM Access (see /usr/share/freeradius/dictionnary.f5) F5-LTM-User-Role = Manager F5-LTM-User-Info-1 = myGroup F5-LTM-User-Partition = Common F5-LTM-User-Shell = bpsh Etc . Is there any to check a NAS attribute to split replies, with sort of VSAs groups for each NAS type, in post-auth ? I have the following nas table : mysql describe nas; +-+--+--+-+---++ | Field | Type | Null | Key | Default | Extra | +-+--+--+-+---++ | id | int(10) | NO | PRI | NULL | auto_increment | | nasname | varchar(128) | NO | MUL | NULL || | shortname | varchar(32) | YES | | NULL || | type| varchar(30) | YES | | other || | ports | int(5) | YES | | NULL || | secret | varchar(60) | NO | | secret|| | server | varchar(64) | YES | | NULL || | community | varchar(50) | YES | | NULL || | description | varchar(200) | YES | | RADIUS Client || +-+--+--+-+---++ Thanks in advance for your help ! Fabien VINCENT Ingénieur Réseaux Sécurité / ASSR Produits Niveau 3 - Infrastructure Produits mailto:fabien.vinc...@coreye.fr fabien.vinc...@coreye.fr coreye Parc de la Haute Borne 22, rue Hergé 59650 Villeneuve d'Ascq http://www.pictime.com/ www.pictime.com De : Vincent, Fabien Envoyé : lundi 7 novembre 2011 10:31 À : 'freeradius-users@lists.freeradius.org' Objet : NAS in sql and returning specific VSAs Hi all, I have one question about Free Radius and NAS in sql database. I return to the NAS some VSAs depending LDAP User-Group like this : Fabien VINCENT Ingénieur Réseaux Sécurité / ASSR Produits Niveau 3 - Infrastructure Produits mailto:fabien.vinc...@coreye.fr fabien.vinc...@coreye.fr coreye Parc de la Haute Borne 22, rue Hergé 59650 Villeneuve d'Ascq http://www.pictime.com/ www.pictime.com image001.jpg smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl not working
Thanks for your replies. I want to resolve the Invalid Accounting Packet problem, so I start to write a perl function preacct like this : sub preacct { # For debugging purposes only print start preacct ***\n; print Dumper(%RAD_REQUEST);print now update request ***\n; $RAD_REQUEST{'Acct-Status-Type'} = 7; print returning from preacct ***\n; return RLM_MODULE_UPDATED; } And modify my preacct using perl. I entered correctly into this procedure, but I didn't know how to update NAS-IP-Address using Packet-Src-IP-Address into the perl sub. Is there somewhere some documentation to have all var in one webpage ? If someone has an example on how to update $RAD_REQUEST{'NAS-IP-Address'} using rlm_perl is welcome ;) Regards Fabien VINCENT -Message d'origine- De : freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org [mailto:freeradius-users-bounces+fabien.vincent=coreye.fr@lists.freeradius.o rg] De la part de Alan Buxey Envoyé : mardi 18 octobre 2011 21:31 À : FreeRadius users mailing list Objet : Re: rlm_perl not working Hi, Of course ! But to simplify documentation, I've put all in one file radiusd.conf except sql requests / config That's a terrible idea. I was going to say the same thing. the old old server used to use a single file for config...that was actually a nasty thing. it now calls seperate moduleswhich all have nice notes/comments in them already. redacting that to a single flat file is horribleeven worse, it makes looking at the difference between your server config and the next release available config - eg new options etc almost impossible. NAS-IP-Address = 127.1.1.1 F5-Acct = Oct 18 17:18:59 local/lb2b notice mcpd[4820]: 01070417:5: AUDIT - user radtest - transaction #40213784-2 - object 0 - modify { pool_member { pool_member_pool_name \.. WARNING: Empty section. Using default return values. +- entering group accounting {...} Invalid Accounting Packet rlm_perl prints that out if there is no Acct-Status-Type attribute in the packet - ie its not really a nice valid accounting packet. this looks like auditing packets being sent... they might need to fix their code? And one more question, can I replace it dynamically with, for example, rlm_perl using the IP address from sender host (here 10.10.10.12 ?). replace what? the NAS-IP-Address? yes - you can swap it with eg the Packet-Src-IP-Address alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ce message a ete verifie par MailScanner. smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl not working
Hi all, As you reply yesterday to my question, I have another one which is very embarrassing : I have the following packages installed on CentOS box : freeradius2.x86_64 freeradius2-mysql.x86_64 freeradius2-ldap.x86_64 freeradius2-perl.x86_64 freeradius2-utils.x86_64 I want to make some transformations on my accounting section but this doesn't work when I put the perl in accounting section. Radius stop working : /usr/sbin/radiusd -X conns: 0x25e9760 Module: Checking authorize {...} for more modules to load Module: Checking accounting {...} for more modules to load /etc/raddb/radiusd.conf[267]: Failed to find module perl. /etc/raddb/radiusd.conf[263]: Errors parsing accounting section. I've found a lot of problems looking on my Google friend, but I didn't understand with a simple : accounting { # sql # comment perl } Using the simple configuration for modules found here: http://wiki.freeradius.org/Rlm_perl Does not work . Any ideas ? Thanks in advance for your help Regards, Fabien VINCENT smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl not working
Sorry, fixed, a mistake in my radiusd.conf (lost in brackets ;) De : freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org [mailto:freeradius-users-bounces+fabien.vincent=coreye.fr@lists.freeradius.o rg] De la part de Vincent, Fabien Envoyé : mardi 18 octobre 2011 15:53 À : FreeRadius users mailing list Objet : rlm_perl not working Hi all, As you reply yesterday to my question, I have another one which is very embarrassing : I have the following packages installed on CentOS box : freeradius2.x86_64 freeradius2-mysql.x86_64 freeradius2-ldap.x86_64 freeradius2-perl.x86_64 freeradius2-utils.x86_64 I want to make some transformations on my accounting section but this doesnt work when I put the perl in accounting section. Radius stop working : /usr/sbin/radiusd -X conns: 0x25e9760 Module: Checking authorize {...} for more modules to load Module: Checking accounting {...} for more modules to load /etc/raddb/radiusd.conf[267]: Failed to find module perl. /etc/raddb/radiusd.conf[263]: Errors parsing accounting section. Ive found a lot of problems looking on my Google friend, but I didnt understand with a simple : accounting { # sql # comment perl } Using the simple configuration for modules found here: http://wiki.freeradius.org/Rlm_perl Does not work Any ideas ? Thanks in advance for your help Regards, Fabien VINCENT smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl not working
Of course ! But to simplify documentation, I've put all in one file radiusd.conf except sql requests / config Another question with Perl / Accounting : I want to made accounting on my F5 LTM / GTM. But the F5 uses something special, because all Audit logs are forwarded to the Radius using syslog-ng. The consequence is that the Accounting-Request is coming with the following format : Ready to process requests. rad_recv: Accounting-Request packet from host 10.10.10.12 port 47931, id=4, length=235 NAS-IP-Address = 127.1.1.1 F5-Acct = Oct 18 17:18:59 local/lb2b notice mcpd[4820]: 01070417:5: AUDIT - user radtest - transaction #40213784-2 - object 0 - modify { pool_member { pool_member_pool_name \.. WARNING: Empty section. Using default return values. +- entering group accounting {...} Invalid Accounting Packet ++[perl] returns invalid Finished request 0. Did you know if it's normal that the accounting section reject the accounting packet and say Invalid Accounting Packet ... Is it due to NAS-IP-Address attribute ? And one more question, can I replace it dynamically with, for example, rlm_perl using the IP address from sender host (here 10.10.10.12 ?). Thanks in advance for your helps ! Fabien VINCENT Ingénieur Réseaux Sécurité / ASSR Produits -Message d'origine- De : freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org [mailto:freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org] De la part de Alan Buxey Envoyé : mardi 18 octobre 2011 16:54 À : FreeRadius users mailing list Objet : Re: rlm_perl not working Hi, Sorry, fixed, a mistake in my radiusd.conf … (lost in brackets ;) my concern would be that you dont need to touch radiusd.conf at all to use the rlm_perl module - hope you werent following some old document - you just need to edit the modules/perl file and then put 'perl' into the required part of your virtual server (or use a named instance if you want to call it a different name) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ce message a ete verifie par MailScanner. smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with F5 BigIP accouting : hexadecimal attribute
Dear all, I'm using Radius for authenticating admin users on different network equipments. group authorize {...} works fine with rlm_ldap and group management. But I have some problem for accounting on F5 BigIP LTM / GTM. In fact, my radius accounting server is receiving accounting-request like this : Accounting-Request packet from host 10.10.10.10 port 36875, id=29, length=281 NAS-IP-Address = [IP address unknown, not corresponding to NAS interfaces] F5-Attr-14 = [Hexa decimal output starting with 0x .] WARNING: Empty section. Using default return values. +- entering group accounting {...} [sql] expand: packet has no accounting status type. [user '%{User-Name}', nas '%{NAS-IP-Address}'] - packet has no accounting status type. [user '', nas '[nas IP unknown]'] [sql] packet has no accounting status type. [user '', nas '[nas IP unknown]'] ++[sql] returns invalid Finished request 37. Cleaning up request 37 ID Did someone here already use accounting with F5 BigIP LTM or GTM ? I'm looking to make this working by changing audit_forward TCL script provided with F5 (syslog-ng) but I wasn't able to produce something different . I also tried to edit the dictionnary for F5 in /usr/share/freeradius/dictionary.f5 ATTRIBUTE F5-LTM-User-Info-1 12 string ATTRIBUTE F5-LTM-User-Info-2 13 string ++ ATTRIBUTE F5-Attr-14 14 octets Thanks in advance for your help ! Fabien VINCENT mailto:fabien.vinc...@coreye.fr fabien.vinc...@coreye.fr smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with F5 BigIP accouting : hexadecimal attribute
NAS-IP-Address = [IP address unknown, not corresponding to NAS interfaces] * Did you added your F5 IP address to NAS Table ? Yes I have added the F5 IP address, authorize works fine using the SQL NAS Table, but the IP returned by the F5 Accounting packet isn't a valid Self IPs of the corresponding F5. I think it's return by the F5 in hexa (as the F5-Attr-14), that's why I request help about this strange behavior . Regards Suman On Mon, Oct 17, 2011 at 4:56 PM, Vincent, Fabien fabien.vinc...@coreye.fr wrote: Dear all, I'm using Radius for authenticating admin users on different network equipments. group authorize {...} works fine with rlm_ldap and group management. But I have some problem for accounting on F5 BigIP LTM / GTM. In fact, my radius accounting server is receiving accounting-request like this : Accounting-Request packet from host 10.10.10.10 port 36875, id=29, length=281 NAS-IP-Address = [IP address unknown, not corresponding to NAS interfaces] F5-Attr-14 = [Hexa decimal output starting with 0x .] WARNING: Empty section. Using default return values. +- entering group accounting {...} [sql] expand: packet has no accounting status type. [user '%{User-Name}', nas '%{NAS-IP-Address}'] - packet has no accounting status type. [user '', nas '[nas IP unknown]'] [sql] packet has no accounting status type. [user '', nas '[nas IP unknown]'] ++[sql] returns invalid Finished request 37. Cleaning up request 37 ID Did someone here already use accounting with F5 BigIP LTM or GTM ? I'm looking to make this working by changing audit_forward TCL script provided with F5 (syslog-ng) but I wasn't able to produce something different . I also tried to edit the dictionnary for F5 in /usr/share/freeradius/dictionary.f5 ATTRIBUTE F5-LTM-User-Info-1 12 string ATTRIBUTE F5-LTM-User-Info-2 13 string ++ ATTRIBUTE F5-Attr-14 14 octets Thanks in advance for your help ! Fabien VINCENT mailto:fabien.vinc...@coreye.fr fabien.vinc...@coreye.fr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ce message a ete verifie par MailScanner. smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with F5 BigIP accouting : hexadecimal attribute
Thanks for your replies/help. I set in the dictionary.f5 the following value : ATTRIBUTE F5-Acct 14 string First for the F5 NAS-IP-Address, it's equal to 127.1.1.1, which I suspect a strange behavior of the F5 syslog-ng / audit forwarder. But this is not a problem, I will find how to set it through tmsh or bigpipe shells. Now, I have the correct output in F5-Acct attribute I've set in the dictionary. Thanks all for your help ! If you have any experience with F5 BigIP LTM/GTM accounting, please share your feedbacks with me (in private of course). For the specific VSA provided here, is it possible to add by default in FreeRadius repo ? Fabien VINCENT Ingénieur Réseaux Sécurité / ASSR Produits Niveau 3 - Infrastructure Produits -Message d'origine- De : freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org [mailto:freeradius-users-bounces+fabien.vincent=coreye.fr@lists.freeradius.o rg] De la part de Phil Mayers Envoyé : lundi 17 octobre 2011 16:51 À : freeradius-users@lists.freeradius.org Objet : Re: Problem with F5 BigIP accouting : hexadecimal attribute On 17/10/11 12:26, Vincent, Fabien wrote: F5-Attr-14 = /[Hexa decimal output starting with 0x ]/ This happens when an unknown attribute is found. The attribute is assumed to be type octets and is rendered at hex. */++ ATTRIBUTE F5-Attr-14 14 octets/* This won't help at all. This is ALREADY what FreeRADIUS assumes for unknown attributes. Try: ATTRIBUTE F5-Attr-14 14 string ...and see if it's readable. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ce message a ete verifie par MailScanner. smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html