RE: load balancing radius with F5 devices
Hi,
Just to give some infos if I can help (this mailing has helped me a lot !)
I have F5 BigIP devices in two 2 DCs. They have each a VirtualServer with a
shared IP (not activated in VLANs used to communicate between the 2 DC to avoid
IP conflits, a much simple config for NAS - only one IP address for server).
Everything works fine with the following config :
The Virtual Server ( IP is A.B.C.D has it's public for external DC ...)
ltm virtual /Common/VS-RADIUS-AUTH {
destination /Common/A.B.C.D:1812
ip-protocol udp
mask 255.255.255.255
pool /Common/POOL-RADIUS-AUTH
profiles {
/Common/radiusLB { }
/Common/udp { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vlans {
[...]
}
vlans-enabled
}
The pool used :
ltm pool /Common/POOL-RADIUS-AUTH {
members {
/Common/10.10.6.7:1812 {
address 10.10.6.7
}
/Common/10.20.6.3:1812 {
address 10.20.6.3
}
}
monitor /Common/Radius-Auth
}
The monitor :
ltm monitor radius /Common/Radius-Auth {
debug no
defaults-from /Common/radius
destination *:*
interval 30
nas-ip-address 10.16.81.11
password Monitor
secret **
time-until-up 0
timeout 31
username radius@domain
}
Profile radiusLB is the following :
ltm profile radius radiusLB {
clients none
persist-avp none
}
And one other not used but available in default config.
ltm profile radius radiusLB-subscriber-aware {
defaults-from radiusLB
subscriber-aware enabled
}
If I look at pool statistics, each servers has equivalent volume of requests
(48.1k against 48.2k).
You could play with Priority Group depending location or failover architecture
of Radius if you want
Fabien VINCENT
Ingénieur Réseaux Sécurité / ASSR Produits
Niveau 3 - Infrastructure Produits
fabien.vinc...@coreye.fr
De : freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org
[mailto:freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org]
De la part de Michael Schwartzkopff
Envoyé : mercredi 9 octobre 2013 11:17
À : FreeRadius users mailing list
Objet : Re: load balancing radius with F5 devices
Am Mittwoch, 9. Oktober 2013, 09:41:19 schrieb Alex Sharaz:
Hi,
Is anyone out there load balancing RADIUS with an F5 load balancer? We're
doing it here, but I can't help thinking that the actual load balancing
algorithm need some tweaking.
As far as I'm aware ( systems section support the F5 boxes)
1). We're using round robin to spread the load over 2 back end radius
servers. 2). There is some general sticky persistence so that once a RAS
device starts talking to a particular back end server it continues to talk
to that server for a predetermined length of time ( might be an hour, not
sure). This ensures that an eap dialogue will always talk to the same back
end server for the duration of the stuck time. Not sure what happens when
you get to the end of the time interval though.
According to the F5 statistics, overall radius traffic seems to be shared
evenly over the 2 back end servers. However, our most heavily loaded RAS
client is our wireless network. While we have 900 switches doing mac and
802.1x based auth, we can have 6000+ users on our wireless network all
authenticating to RADIUS via 3 RAS clients. Looking at the back end server
log files, it does look as if, in general, all wireless RADIUS auths head
for the same back end server.
I was wondering if there's a way off having a bit more granularity in terms
of how the f5 load balances incoming RADIUS requests.
You would need to use application layer load balancing on the BigIPs. But I
don't think that you can configure this on the BigIPs. The RADIUS protocol is
stateless, so there is no criteria in the application that a load balancer
could use to balance inside the application.
Greetings,
--
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trying to do proxy using realm and 2 VS
Hi all,
I'm currently working on a fresh FreeRadius 2.x install, in order to separate
Radius auth for Administrators (Firewall, Routeurs Switchs administration)
and Customers access (VPN SSL / IPSec).
My first try was to rewrite all the config into virtual servers (previously,
all was written into radiusd.conf :().
So what I did :
[root@server /etc/raddb]$ ll sites-enabled/
total 0
lrwxrwxrwx. 1 root root 33 Mar 19 12:01 administrator -
/etc/raddb/sites-available/administrator
lrwxrwxrwx. 1 root root 43 Mar 26 18:16 customer -
/etc/raddb/sites-available/coreye_customers
This is my two VS :
server administrator {
# Authenticate / Authorize listener
listen {
ipaddr = *
port = 1600
type = auth
}
# Accounting listener
listen {
ipaddr = *
port = 1601
type = acct
}
[...]
server customer {
# Authenticate / Authorize listener
listen {
ipaddr = *
port = 1602
type = auth
}
# Accounting listener
listen {
ipaddr = *
port = 1603
type = acct
}
[...]
And in order to proxy, I want to forward using proxy depending realm
(proxy.conf)
realm .*customer$ {
virtual_server = customer
}
realm .*admin$ {
virtual_server = administrator
}
realm NULL {
virtual_server = administrator
}
But when logging into Radius, it works for VS Administrator (login admin or
user@admin), but if I try using login@customer, it's never proxy to virtual
server customer.
I tried different methods always shown in the mailing list, but no way, it's
never working ...
Proxy to realm into authorize section :
if (Realm == customer) {
update control {
Proxy-To-Realm := customer
}
}
Not working ... The request is always managed by administrator vs.
Always played using dynamic clients example and
FreeRADIUS-Client-Virtual-Server = customer, but not working again.
I suspect the problem located in my NAS MySQL table, where server column is
forced to virtual server administrator
Is anything I missed to do ? What's the best solution to do this kind of
configuration when nas are stored in MySQL DB, and some of the nas clients
could be used by different virtual servers ? What the is the best way to have a
single radius IP server, and two different virtual servers with two different
set of rules ?
Thanks in advance for your help !
Fabien VINCENT
http://www.coreye.frhttp://www.coreye.fr/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No such virtual server NULL
Hi all,
Im using FreeRadius to authenticate admin users on Firewall / Load Balancer
webui.
Actually my configuration works well, but I just tried to had a new Load
Balancer with Radius Auth, but Ive a strange message :
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.15.50.251 port 27705, id=236,
length=94
User-Name = myuser
User-Password = pass
NAS-IP-Address = 10.10.10.10
NAS-Identifier = httpd
NAS-Port = 26680
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = 192.168.0.1
server NULL {
No such virtual server NULL
Invalid user: [myuser] (from client NAS-SHORTNAME port 26680 cli
192.168.0.1)
} # server NULL
Using Post-Auth-Type Reject
No such virtual server NULL
Delaying reject of request 2 for 1 seconds
Going to the next request
What is this message ? No such virtual server NULL
Why this works for existing configuration and adding a new NAS to sql
database is giving this result ?
Thanks in advance for your help !
Fabien VINCENT
Ingénieur Réseaux Sécurité / ASSR Produits
Niveau 3 - Infrastructure Produits
mailto:fabien.vinc...@coreye.fr fabien.vinc...@coreye.fr
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No such virtual server NULL
-Message d'origine- De : freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org [mailto:freeradius-users-bounces+fabien.vincent=coreye.fr@lists.freeradius.o rg] De la part de Alan DeKok Envoyé : mardi 8 novembre 2011 14:37 À : FreeRadius users mailing list Objet : Re: No such virtual server NULL Vincent, Fabien wrote: What is this message ? No such virtual server NULL Why this works for existing configuration and adding a new NAS to sql database is giving this result ? Because you added the NAS in SQL, with the virtual server column containing the string NULL. Thanks, I've also modify my server default configuration to server mycompany and includes all my rules into this server configuration (and also change nas server value to mycompany). Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ce message a ete verifie par MailScanner. smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS in sql and returning specific VSAs
Hi all,
I just tried using
if(%Client-Type == 'cisco'){
Service-Type = NAS-Prompt-User
cisco-avpair = shell:priv-lvl=15
}
In section post-auth or authorize but it doesnt work. I have the following
message :
update sections cannot have subsections
Is there any way to update the Attribute sent by the radius server when
authenticate on a specific NAS / Client ?
Regards,
Fabien VINCENT
Ingénieur Réseaux Sécurité / ASSR Produits
Niveau 3 - Infrastructure Produits
mailto:fabien.vinc...@coreye.fr fabien.vinc...@coreye.fr
De : Vincent, Fabien
Envoyé : lundi 7 novembre 2011 10:36
À : Vincent, Fabien; freeradius-users@lists.freeradius.org
Objet : RE: NAS in sql and returning specific VSAs
Sorry, CTRL+Enter is not a good keyboard on Monday Morning ;)
So, I return to the NAS some VSAs depending LDAP Group like this :
if (Ldap-Group == MyGroup) {
update reply {
# Rules for Cisco Routeurs
Service-Type = NAS-Prompt-User
cisco-avpair = shell:priv-lvl=15
# Rule for 3Com Access
Service-Type += Login-User
Login-Service += Telnet
Login-Service += 3com-50
H3C-Exec_Privilege = 3
3Com-User-Access-Level = 3Com-Manager
#AV-Pair for F5 BigIP LTM Access (see /usr/share/freeradius/dictionnary.f5)
F5-LTM-User-Role = Manager
F5-LTM-User-Info-1 = myGroup
F5-LTM-User-Partition = Common
F5-LTM-User-Shell = bpsh
Etc
.
Is there any to check a NAS attribute to split replies, with sort of VSAs
groups for each NAS type, in post-auth ?
I have the following nas table :
mysql describe nas;
+-+--+--+-+---++
| Field | Type | Null | Key | Default | Extra |
+-+--+--+-+---++
| id | int(10) | NO | PRI | NULL | auto_increment |
| nasname | varchar(128) | NO | MUL | NULL ||
| shortname | varchar(32) | YES | | NULL ||
| type| varchar(30) | YES | | other ||
| ports | int(5) | YES | | NULL ||
| secret | varchar(60) | NO | | secret||
| server | varchar(64) | YES | | NULL ||
| community | varchar(50) | YES | | NULL ||
| description | varchar(200) | YES | | RADIUS Client ||
+-+--+--+-+---++
Thanks in advance for your help !
Fabien VINCENT
Ingénieur Réseaux Sécurité / ASSR Produits
Niveau 3 - Infrastructure Produits
mailto:fabien.vinc...@coreye.fr fabien.vinc...@coreye.fr
De : Vincent, Fabien
Envoyé : lundi 7 novembre 2011 10:31
À : 'freeradius-users@lists.freeradius.org'
Objet : NAS in sql and returning specific VSAs
Hi all,
I have one question about Free Radius and NAS in sql database.
I return to the NAS some VSAs depending LDAP User-Group like this :
Fabien VINCENT
Ingénieur Réseaux Sécurité / ASSR Produits
Niveau 3 - Infrastructure Produits
mailto:fabien.vinc...@coreye.fr fabien.vinc...@coreye.fr
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS in sql and returning specific VSAs
For the solution, I did that :
authorize {
+update request {
+FreeRADIUS-Client-NAS-Type = %{sql:SELECT type FROM nas
WHERE nasname='%{Packet-Src-IP-Address}'}
+}
group {
LDAP_COMPANY
}
And in the section post-auth, I did :
+ if (%{FreeRADIUS-Client-NAS-Type} == cisco) {
+ update reply {
+Service-Type = NAS-Prompt-User
+cisco-avpair = shell:priv-lvl=15
+ }
+ }
+ elsif (%{FreeRADIUS-Client-NAS-Type} == bigip-ltm) {
+update reply {
+ F5-LTM-User-Role = Administrator
+ F5-LTM-User-Info-1 = myuserinfo
+ F5-LTM-User-Partition = Common
+ F5-LTM-User-Shell = bpsh
+ }
+ }
And this works ... Thanks for your help !!!
Fabien VINCENT
Ingénieur Réseaux Sécurité / ASSR Produits
Niveau 3 - Infrastructure Produits
fabien.vinc...@coreye.fr
-Message d'origine-
De : freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org
[mailto:freeradius-users-bounces+fabien.vincent=coreye.fr@lists.freeradius.o
rg] De la part de Alan Buxey
Envoyé : mardi 8 novembre 2011 18:39
À : FreeRadius users mailing list
Objet : Re: NAS in sql and returning specific VSAs
Hi,
Hi all,
I just tried using
if(%Client-Type == 'cisco'){
Service-Type = NAS-Prompt-User
cisco-avpair = shell:priv-lvl=15
}
if(%Client-Type == 'cisco'){
update reply {
Service-Type = NAS-Prompt-User
cisco-avpair = shell:priv-lvl=15
}
}
?
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Ce message a ete verifie par MailScanner.
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS in sql and returning specific VSAs
Hi all, I have one question about Free Radius and NAS in sql database. I return to the NAS some VSAs depending LDAP User-Group like this : Fabien VINCENT Ingénieur Réseaux Sécurité / ASSR Produits Niveau 3 - Infrastructure Produits mailto:fabien.vinc...@coreye.fr fabien.vinc...@coreye.fr coreye Parc de la Haute Borne 22, rue Hergé 59650 Villeneuve d'Ascq http://www.pictime.com/ www.pictime.com image001.jpg smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS in sql and returning specific VSAs
Sorry, CTRL+Enter is not a good keyboard on Monday Morning ;)
So, I return to the NAS some VSAs depending LDAP Group like this :
if (Ldap-Group == MyGroup) {
update reply {
# Rules for Cisco Routeurs
Service-Type = NAS-Prompt-User
cisco-avpair = shell:priv-lvl=15
# Rule for 3Com Access
Service-Type += Login-User
Login-Service += Telnet
Login-Service += 3com-50
H3C-Exec_Privilege = 3
3Com-User-Access-Level = 3Com-Manager
#AV-Pair for F5 BigIP LTM Access (see /usr/share/freeradius/dictionnary.f5)
F5-LTM-User-Role = Manager
F5-LTM-User-Info-1 = myGroup
F5-LTM-User-Partition = Common
F5-LTM-User-Shell = bpsh
Etc
.
Is there any to check a NAS attribute to split replies, with sort of VSAs
groups for each NAS type, in post-auth ?
I have the following nas table :
mysql describe nas;
+-+--+--+-+---++
| Field | Type | Null | Key | Default | Extra |
+-+--+--+-+---++
| id | int(10) | NO | PRI | NULL | auto_increment |
| nasname | varchar(128) | NO | MUL | NULL ||
| shortname | varchar(32) | YES | | NULL ||
| type| varchar(30) | YES | | other ||
| ports | int(5) | YES | | NULL ||
| secret | varchar(60) | NO | | secret||
| server | varchar(64) | YES | | NULL ||
| community | varchar(50) | YES | | NULL ||
| description | varchar(200) | YES | | RADIUS Client ||
+-+--+--+-+---++
Thanks in advance for your help !
Fabien VINCENT
Ingénieur Réseaux Sécurité / ASSR Produits
Niveau 3 - Infrastructure Produits
mailto:fabien.vinc...@coreye.fr fabien.vinc...@coreye.fr
coreye
Parc de la Haute Borne
22, rue Hergé
59650 Villeneuve d'Ascq
http://www.pictime.com/ www.pictime.com
De : Vincent, Fabien
Envoyé : lundi 7 novembre 2011 10:31
À : 'freeradius-users@lists.freeradius.org'
Objet : NAS in sql and returning specific VSAs
Hi all,
I have one question about Free Radius and NAS in sql database.
I return to the NAS some VSAs depending LDAP User-Group like this :
Fabien VINCENT
Ingénieur Réseaux Sécurité / ASSR Produits
Niveau 3 - Infrastructure Produits
mailto:fabien.vinc...@coreye.fr fabien.vinc...@coreye.fr
coreye
Parc de la Haute Borne
22, rue Hergé
59650 Villeneuve d'Ascq
http://www.pictime.com/ www.pictime.com
image001.jpg
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl not working
Thanks for your replies.
I want to resolve the Invalid Accounting Packet problem, so I start to write
a perl function preacct like this :
sub preacct {
# For debugging purposes only
print start preacct ***\n;
print Dumper(%RAD_REQUEST);print now update request ***\n;
$RAD_REQUEST{'Acct-Status-Type'} = 7;
print returning from preacct ***\n;
return RLM_MODULE_UPDATED;
}
And modify my preacct using perl.
I entered correctly into this procedure, but I didn't know how to update
NAS-IP-Address using Packet-Src-IP-Address into the perl sub.
Is there somewhere some documentation to have all var in one webpage ?
If someone has an example on how to update $RAD_REQUEST{'NAS-IP-Address'}
using rlm_perl is welcome ;)
Regards
Fabien VINCENT
-Message d'origine-
De : freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org
[mailto:freeradius-users-bounces+fabien.vincent=coreye.fr@lists.freeradius.o
rg] De la part de Alan Buxey
Envoyé : mardi 18 octobre 2011 21:31
À : FreeRadius users mailing list
Objet : Re: rlm_perl not working
Hi,
Of course ! But to simplify documentation, I've put all in one file
radiusd.conf except sql requests / config
That's a terrible idea.
I was going to say the same thing. the old old server used to use a single
file for config...that
was actually a nasty thing. it now calls seperate moduleswhich all have
nice notes/comments
in them already. redacting that to a single flat file is horribleeven
worse, it makes looking
at the difference between your server config and the next release available
config - eg new options
etc almost impossible.
NAS-IP-Address = 127.1.1.1
F5-Acct = Oct 18 17:18:59 local/lb2b notice mcpd[4820]:
01070417:5: AUDIT - user radtest - transaction #40213784-2 - object 0 -
modify { pool_member { pool_member_pool_name \..
WARNING: Empty section. Using default return values.
+- entering group accounting {...}
Invalid Accounting Packet
rlm_perl prints that out if there is no Acct-Status-Type attribute in the
packet - ie
its not really a nice valid accounting packet. this looks like auditing
packets being sent...
they might need to fix their code?
And one more question, can I replace it dynamically with, for example,
rlm_perl using the IP address from sender host (here 10.10.10.12 ?).
replace what? the NAS-IP-Address? yes - you can swap it with eg the
Packet-Src-IP-Address
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Ce message a ete verifie par MailScanner.
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl not working
Hi all,
As you reply yesterday to my question, I have another one which is very
embarrassing :
I have the following packages installed on CentOS box :
freeradius2.x86_64
freeradius2-mysql.x86_64
freeradius2-ldap.x86_64
freeradius2-perl.x86_64
freeradius2-utils.x86_64
I want to make some transformations on my accounting section but this
doesn't work when I put the perl in accounting section. Radius stop
working :
/usr/sbin/radiusd -X
conns: 0x25e9760
Module: Checking authorize {...} for more modules to load
Module: Checking accounting {...} for more modules to load
/etc/raddb/radiusd.conf[267]: Failed to find module perl.
/etc/raddb/radiusd.conf[263]: Errors parsing accounting section.
I've found a lot of problems looking on my Google friend, but I didn't
understand with a simple :
accounting {
# sql # comment
perl
}
Using the simple configuration for modules found here:
http://wiki.freeradius.org/Rlm_perl
Does not work .
Any ideas ?
Thanks in advance for your help
Regards,
Fabien VINCENT
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl not working
Sorry, fixed, a mistake in my radiusd.conf
(lost in brackets ;)
De : freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org
[mailto:freeradius-users-bounces+fabien.vincent=coreye.fr@lists.freeradius.o
rg] De la part de Vincent, Fabien
Envoyé : mardi 18 octobre 2011 15:53
À : FreeRadius users mailing list
Objet : rlm_perl not working
Hi all,
As you reply yesterday to my question, I have another one which is very
embarrassing :
I have the following packages installed on CentOS box :
freeradius2.x86_64
freeradius2-mysql.x86_64
freeradius2-ldap.x86_64
freeradius2-perl.x86_64
freeradius2-utils.x86_64
I want to make some transformations on my accounting section but this
doesnt work when I put the perl in accounting section. Radius stop
working :
/usr/sbin/radiusd -X
conns: 0x25e9760
Module: Checking authorize {...} for more modules to load
Module: Checking accounting {...} for more modules to load
/etc/raddb/radiusd.conf[267]: Failed to find module perl.
/etc/raddb/radiusd.conf[263]: Errors parsing accounting section.
Ive found a lot of problems looking on my Google friend, but I didnt
understand with a simple :
accounting {
# sql # comment
perl
}
Using the simple configuration for modules found here:
http://wiki.freeradius.org/Rlm_perl
Does not work
Any ideas ?
Thanks in advance for your help
Regards,
Fabien VINCENT
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl not working
Of course ! But to simplify documentation, I've put all in one file
radiusd.conf except sql requests / config
Another question with Perl / Accounting :
I want to made accounting on my F5 LTM / GTM. But the F5 uses something
special, because all Audit logs are forwarded to the Radius using syslog-ng.
The consequence is that the Accounting-Request is coming with the following
format :
Ready to process requests.
rad_recv: Accounting-Request packet from host 10.10.10.12 port 47931, id=4,
length=235
NAS-IP-Address = 127.1.1.1
F5-Acct = Oct 18 17:18:59 local/lb2b notice mcpd[4820]: 01070417:5:
AUDIT - user radtest - transaction #40213784-2 - object 0 - modify {
pool_member { pool_member_pool_name \..
WARNING: Empty section. Using default return values.
+- entering group accounting {...}
Invalid Accounting Packet
++[perl] returns invalid
Finished request 0.
Did you know if it's normal that the accounting section reject the accounting
packet and say Invalid Accounting Packet ... Is it due to NAS-IP-Address
attribute ?
And one more question, can I replace it dynamically with, for example, rlm_perl
using the IP address from sender host (here 10.10.10.12 ?).
Thanks in advance for your helps !
Fabien VINCENT
Ingénieur Réseaux Sécurité / ASSR Produits
-Message d'origine-
De : freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org
[mailto:freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org]
De la part de Alan Buxey
Envoyé : mardi 18 octobre 2011 16:54
À : FreeRadius users mailing list
Objet : Re: rlm_perl not working
Hi,
Sorry, fixed, a mistake in my radiusd.conf … (lost in brackets ;)
my concern would be that you dont need to touch radiusd.conf at all to use
the rlm_perl module - hope you werent following some old document - you just
need to edit the modules/perl file and then put 'perl' into the required part
of your virtual server (or use a named instance if you want to call it a
different
name)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Ce message a ete verifie par MailScanner.
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with F5 BigIP accouting : hexadecimal attribute
Dear all,
I'm using Radius for authenticating admin users on different network
equipments. group authorize {...} works fine with rlm_ldap and group
management.
But I have some problem for accounting on F5 BigIP LTM / GTM.
In fact, my radius accounting server is receiving accounting-request like
this :
Accounting-Request packet from host 10.10.10.10 port 36875, id=29,
length=281
NAS-IP-Address = [IP address unknown, not corresponding to NAS interfaces]
F5-Attr-14 = [Hexa decimal output starting with 0x .]
WARNING: Empty section. Using default return values.
+- entering group accounting {...}
[sql] expand: packet has no accounting status type. [user '%{User-Name}',
nas '%{NAS-IP-Address}'] - packet has no accounting status type. [user '',
nas '[nas IP unknown]']
[sql] packet has no accounting status type. [user '', nas '[nas IP
unknown]']
++[sql] returns invalid
Finished request 37.
Cleaning up request 37 ID
Did someone here already use accounting with F5 BigIP LTM or GTM ? I'm
looking to make this working by changing audit_forward TCL script provided
with F5 (syslog-ng) but I wasn't able to produce something different .
I also tried to edit the dictionnary for F5 in
/usr/share/freeradius/dictionary.f5
ATTRIBUTE F5-LTM-User-Info-1 12 string
ATTRIBUTE F5-LTM-User-Info-2 13 string
++ ATTRIBUTE F5-Attr-14 14 octets
Thanks in advance for your help !
Fabien VINCENT
mailto:fabien.vinc...@coreye.fr fabien.vinc...@coreye.fr
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with F5 BigIP accouting : hexadecimal attribute
NAS-IP-Address = [IP address unknown, not corresponding to NAS interfaces]
* Did you added your F5 IP address to NAS Table ?
Yes I have added the F5 IP address, authorize works fine using the SQL NAS
Table, but the IP returned by the F5 Accounting packet isn't a valid Self
IPs of the corresponding F5.
I think it's return by the F5 in hexa (as the F5-Attr-14), that's why I
request help about this strange behavior .
Regards
Suman
On Mon, Oct 17, 2011 at 4:56 PM, Vincent, Fabien fabien.vinc...@coreye.fr
wrote:
Dear all,
I'm using Radius for authenticating admin users on different network
equipments. group authorize {...} works fine with rlm_ldap and group
management.
But I have some problem for accounting on F5 BigIP LTM / GTM.
In fact, my radius accounting server is receiving accounting-request like
this :
Accounting-Request packet from host 10.10.10.10 port 36875, id=29,
length=281
NAS-IP-Address = [IP address unknown, not corresponding to NAS interfaces]
F5-Attr-14 = [Hexa decimal output starting with 0x .]
WARNING: Empty section. Using default return values.
+- entering group accounting {...}
[sql] expand: packet has no accounting status type. [user '%{User-Name}',
nas '%{NAS-IP-Address}'] - packet has no accounting status type. [user '',
nas '[nas IP unknown]']
[sql] packet has no accounting status type. [user '', nas '[nas IP
unknown]']
++[sql] returns invalid
Finished request 37.
Cleaning up request 37 ID
Did someone here already use accounting with F5 BigIP LTM or GTM ? I'm
looking to make this working by changing audit_forward TCL script provided
with F5 (syslog-ng) but I wasn't able to produce something different .
I also tried to edit the dictionnary for F5 in
/usr/share/freeradius/dictionary.f5
ATTRIBUTE F5-LTM-User-Info-1 12 string
ATTRIBUTE F5-LTM-User-Info-2 13 string
++ ATTRIBUTE F5-Attr-14 14 octets
Thanks in advance for your help !
Fabien VINCENT
mailto:fabien.vinc...@coreye.fr fabien.vinc...@coreye.fr
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Ce message a ete verifie par MailScanner.
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with F5 BigIP accouting : hexadecimal attribute
Thanks for your replies/help. I set in the dictionary.f5 the following value : ATTRIBUTE F5-Acct 14 string First for the F5 NAS-IP-Address, it's equal to 127.1.1.1, which I suspect a strange behavior of the F5 syslog-ng / audit forwarder. But this is not a problem, I will find how to set it through tmsh or bigpipe shells. Now, I have the correct output in F5-Acct attribute I've set in the dictionary. Thanks all for your help ! If you have any experience with F5 BigIP LTM/GTM accounting, please share your feedbacks with me (in private of course). For the specific VSA provided here, is it possible to add by default in FreeRadius repo ? Fabien VINCENT Ingénieur Réseaux Sécurité / ASSR Produits Niveau 3 - Infrastructure Produits -Message d'origine- De : freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org [mailto:freeradius-users-bounces+fabien.vincent=coreye.fr@lists.freeradius.o rg] De la part de Phil Mayers Envoyé : lundi 17 octobre 2011 16:51 À : freeradius-users@lists.freeradius.org Objet : Re: Problem with F5 BigIP accouting : hexadecimal attribute On 17/10/11 12:26, Vincent, Fabien wrote: F5-Attr-14 = /[Hexa decimal output starting with 0x ]/ This happens when an unknown attribute is found. The attribute is assumed to be type octets and is rendered at hex. */++ ATTRIBUTE F5-Attr-14 14 octets/* This won't help at all. This is ALREADY what FreeRADIUS assumes for unknown attributes. Try: ATTRIBUTE F5-Attr-14 14 string ...and see if it's readable. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ce message a ete verifie par MailScanner. smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
