Re: Accounting copying to specific systems
Joe Maimon wrote: And that is what I have done. git://github.com/jmaimon/freeradius-server.git OK. After a quick look, there are a number of patches which can be pulled in. I'll try to do that this week. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Joe Maimon wrote: Here is what I am doing with rlm_policy You had control above. Why request here? These are all the patches I am currently carrying. OK... my $0.02 is put them in github. Fork the stable branch, apply your patches, and send me a link to the github repository. That makes it easier for me to see apply the patches. Alan DeKok. And that is what I have done. git://github.com/jmaimon/freeradius-server.git - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote:
Joe Maimon wrote:
Would that be this freeradius internal attribute?
Home-Server-Pool
It's used to proxy requests to a home server pool, without involving
realms.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
It doesnt work with Home-Server-Pool, but it does work with Proxy-To-Realm.
Server is built from git-stable-20090923
Also, I havent been able to figure out how to get unlang to do the job
here. Server wont even start with my attempt.
Expected comparison at: =*
/etc/freeradius/sites-enabled/copy-acct-to-noc03-8e6[9]: Errors parsing
preacct section
Currently I am using the rlm_policy language.
I would appreciate any suggestions, tips and advice.
Thank you for all your help.
Joe
Here is my semi-finished product:
radiusd.conf:
=
detail detail-copy-noc03-8e6 {
detailfile = ${radacctdir}/detail-reader/noc03-8e6.log
detailperm = 0600
header = %t
}
policy policy-copy-acct-to-noc03-8e6 {
filename = ${confdir}/policy-copy-acct-to-noc03-8e6.txt
}
proxy.conf:
===
home_server noc03-8e6 {
type = acct
ipaddr = xx.yy.53.10
secret = test
src_ipaddr = ${local_address}
port = 1646
}
home_server_pool pool-noc03-8e6 {
home_server = noc03-8e6
}
realm noc03-8e6.realms {
acct_pool = pool-noc03-8e6
}
sites-available/default:
#Add this line to the accounting section
detail-copy-noc03-8e6
sites-available/copy-acct-to-noc03-8e6:
===
server copy-acct-to-no03-8e6 {
listen {
type = detail
filename = ${radacctdir}/detail-reader/noc03-8e6.log
load_factory = 10
}
preacct {
# doesnt work, server wont start.
# if (request:Class =* ) {
# if (request:Client-Short-Name == noc03rt07) {
# update control {
# Home-Server-Pool := pool-noc03-8e6
# }
# }
# }
policy-copy-acct-to-noc03-8e6
preprocess
}
accounting {
ok
}
pre-proxy {
}
post-proxy {
}
}
policy-copy-acct-to-noc03-8e6.txt:
==
policy set-acct-home-server {
if (request:Class =* ) {
if (request:Client-Short-Name == noc03rt07) {
control .= {
#Home-Server-Pool doesnt seem to do anything even post 2.1.7
Home-Server-Pool := pool-noc03-8e6
Proxy-To-Realm := noc03-8e6.realms
}
}
}
}
policy preacct {
set-acct-home-server()
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Joe Maimon wrote: It doesnt work with Home-Server-Pool, but it does work with Proxy-To-Realm. Hmm... what does that mean? If you put the update section inside of an if statement that never matches... it won't work. The Home-Server-Pool code *should* work in 2.1.7. I can double-check it tomorrow. Also, I havent been able to figure out how to get unlang to do the job here. Server wont even start with my attempt. Expected comparison at: =* /etc/freeradius/sites-enabled/copy-acct-to-noc03-8e6[9]: Errors parsing preacct section See man unlang. The '=* operator isn't supported. Currently I am using the rlm_policy language. Which isn't unlang. Those policies need to (a) be in separate files, and (b) follow the format outlined in raddb/policy.txt Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Joe Maimon wrote: It doesnt work with Home-Server-Pool, but it does work with Proxy-To-Realm. Hmm... what does that mean? If you put the update section inside of an if statement that never matches... it won't work. The if matches just fine and updates with rlm_policy, but I couldnt get something reasonable in unlang to parse successfully. I would appreciate some tips. The Home-Server-Pool code *should* work in 2.1.7. I can double-check it tomorrow. Thanks. Also, I havent been able to figure out how to get unlang to do the job here. Server wont even start with my attempt. Expected comparison at: =* /etc/freeradius/sites-enabled/copy-acct-to-noc03-8e6[9]: Errors parsing preacct section See man unlang. The '=* operator isn't supported. So I should try regex =~ .* ? That didnt work either. Currently I am using the rlm_policy language. Which isn't unlang. Those policies need to (a) be in separate files, and (b) follow the format outlined in raddb/policy.txt They are, they work. My point was that I was hoping to find a way to use unlang. However, to use it like I use policy, seems like it might need some patches. As I am currently carrying patches for rlm_policy, the question is whether it is worthwhile to switch focus to unlang. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Joe Maimon wrote: The if matches just fine and updates with rlm_policy, but I couldnt get something reasonable in unlang to parse successfully. I would appreciate some tips. To do...? So I should try regex =~ .* ? To do... ? That didnt work either. And... what does the debug output say? They are, they work. My point was that I was hoping to find a way to use unlang. However, to use it like I use policy, seems like it might need some patches. To do... ? As I am currently carrying patches for rlm_policy, the question is whether it is worthwhile to switch focus to unlang. IIRC, most of the patches you had for the policy module went into source control. What's left? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote:
Joe Maimon wrote:
It doesnt work with Home-Server-Pool, but it does work with Proxy-To-Realm.
Hmm... what does that mean? If you put the update section inside of
an if statement that never matches... it won't work.
The Home-Server-Pool code *should* work in 2.1.7. I can double-check
it tomorrow.
src/main/acct.c needed a patch to handle PW_HOME_SERVER_POOL similar to
PW_PROXY_TO_REALM
Seems like it is working, but I am still testing. My patch duplicates
the LOCAL functionality, but is that purposeless?
#! /bin/sh /usr/share/dpatch/dpatch-run
## 440-proxy-home-server-pool.dpatch by j...@debian09
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad freeradius-server~/src/main/acct.c freeradius-server/src/main/acct.c
--- freeradius-server~/src/main/acct.c 2009-09-24 16:38:44.0 -0400
+++ freeradius-server/src/main/acct.c 2009-09-24 16:38:47.0 -0400
@@ -122,6 +122,29 @@
* Maybe one of the preacct modules has decided
* that a proxy should be used.
*/
+
+ if ((vp = pairfind(request-config_items,
PW_HOME_SERVER_POOL))) {
+ home_pool_t *home_pool;
+
+ /*
+* Check whether Home-Server-Pool is
+* a LOCAL pool.
+*/
+ home_pool = home_pool_byname(vp-vp_strvalue,
HOME_TYPE_ACCT);
+ if (home_pool !home_pool-servers) {
+ DEBUG(rad_accounting: Cancelling proxy to
home_pool %s, as it is a LOCAL home pool.,
+ home_pool-name);
+ pairdelete(request-config_items,
PW_HOME_SERVER_POOL);
+ } else {
+ /*
+* Don't reply to the NAS now because
+* we have to send the proxied packet
+* before that.
+*/
+ return result;
+ }
+ }
+
if ((vp = pairfind(request-config_items, PW_PROXY_TO_REALM))) {
REALM *realm;
diff -urNad freeradius-server~/src/main/realms.c
freeradius-server/src/main/realms.c
--- freeradius-server~/src/main/realms.c2009-09-24 16:38:44.0
-0400
+++ freeradius-server/src/main/realms.c 2009-09-24 16:39:31.0 -0400
@@ -932,7 +932,8 @@
}
}
- if (num_home_servers == 0) {
+ /* LOCAL pools have no servers */
+ if (num_home_servers == 0 strcmp(name2, LOCAL)) {
cf_log_err(cf_sectiontoitem(cs),
No home servers defined in pool %s,
name2);
@@ -1468,6 +1469,11 @@
mypool.name = name;
mypool.server_type = server_type;
+ if (strcmp(name, LOCAL) == 0) {
+ cf_log_err(cf_sectiontoitem(cs), \%s\ pool cannot be used
with realms, name);
+ return 0;
+ }
+
pool = rbtree_finddata(home_pools_byname, mypool);
if (!pool) {
CONF_SECTION *pool_cs;
@@ -1728,10 +1734,15 @@
static int pool_peek_type(CONF_SECTION *config, CONF_SECTION *cs)
{
int home;
- const char *name, *type;
+ const char *name, *name2, *type;
CONF_PAIR *cp;
CONF_SECTION *server_cs;
+ name2 = cf_section_name2(cs);
+ if (name2 strcmp(name2, LOCAL) == 0) {
+ /* LOCAL Home server pool has no home_server */
+ return HOME_TYPE_AUTH;
+ }
cp = cf_pair_find(cs, home_server);
if (!cp) {
cf_log_err(cf_sectiontoitem(cs), Pool does not contain a
\home_server\ entry);
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote:
Joe Maimon wrote:
The if matches just fine and updates with rlm_policy, but I couldnt get
something reasonable in unlang to parse successfully. I would appreciate
some tips.
Here is what I am doing with rlm_policy
if (request:Class =* ) {
if (request:Client-Short-Name == noc03rt07) {
control .= {
Home-Server-Pool := pool-noc03-8e6
}
}
}
Here is how I tried doing it with unlang
if (request:Class =* ) {
if (request:Client-Short-Name == noc03rt07) {
update request {
Home-Server-Pool := pool-noc03-8e6
}
}
}
I also tried this
if (request:Class =~ .* ) {
if (request:Client-Short-Name == noc03rt07) {
update request {
Home-Server-Pool := pool-noc03-8e6
}
}
}
As I am currently carrying patches for rlm_policy, the question is
whether it is worthwhile to switch focus to unlang.
IIRC, most of the patches you had for the policy module went into
source control. What's left?
You got the big one.
These are all the patches I am currently carrying.
020-client-short-name.dpatch
030-substar_regex.patch
080-keep-local-av-proxy.dpatch
130-rlm-policy-fix.dpatch
140-rlm-policy-subops.dpatch
200-cmp-operators-fix.dpatch
230-fix-policy-null-myvp.dpatch
245-policy-xlat.dpatch
310-rlm_exec-nullchecks.dpatch
380-rlm_policy-evaluate-seg
400-rlm_policy-parse-assert
430-rlm_policy-missing-policy-ok
440-proxy-home-server-pool
Some are hacks, most are old and you have probably seen them before.
About the only thing I can say with confidence, is worksforme.
I suppose I should use bugzilla to post them even if the attached
tarball comes through.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
jm-freeradius-2.1.8-git-20090923.tar.gz
Description: GNU Zip compressed data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Joe Maimon wrote:
Here is what I am doing with rlm_policy
if (request:Class =* ) {
And what does that mean? I haven't looked at the policy code in years...
if (request:Client-Short-Name == noc03rt07) {
control .= {
Home-Server-Pool := pool-noc03-8e6
}
}
}
Here is how I tried doing it with unlang
if (request:Class =* ) {
See man unlang the CONDITIONS section for how conditions work. If
you're just looking to see if Class exists, do:
if (Class) {
It's that easy.
if (request:Client-Short-Name == noc03rt07) {
update request {
You had control above. Why request here?
These are all the patches I am currently carrying.
OK... my $0.02 is put them in github. Fork the stable branch, apply
your patches, and send me a link to the github repository. That makes
it easier for me to see apply the patches.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote:
Joe Maimon wrote:
Here is what I am doing with rlm_policy
if (request:Class =* ) {
And what does that mean? I haven't looked at the policy code in years...
And it still works nicely.
If Class exists in the request.
See man unlang the CONDITIONS section for how conditions work. If
you're just looking to see if Class exists, do:
if (Class) {
It's that easy.
And it works. Thanks.
if (request:Client-Short-Name == noc03rt07) {
update request {
You had control above. Why request here?
Troubleshooting permutations.
These are all the patches I am currently carrying.
OK... my $0.02 is put them in github. Fork the stable branch, apply
your patches, and send me a link to the github repository. That makes
it easier for me to see apply the patches.
Alan DeKok.
Soon as I figure it out.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Right now, yes. In 2.1.7, you probably won't have to. You can give the realms any name you want. Alan DeKok. Would that be this freeradius internal attribute? Home-Server-Pool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Joe Maimon wrote: Would that be this freeradius internal attribute? Home-Server-Pool It's used to proxy requests to a home server pool, without involving realms. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Joe Maimon wrote: So I write all accounting coming into the server duplicated into multiple detail files, one per potential destination. Yes. Then I have a reader which while reading filters only what I want to send to the destination. Yes. I have multiple readers. I think I get it, I would use acct_users and Reject what I dont want? unlang. It's far easier. Wouldnt I need a customized files to use a different acct_users per destination? Yes. Is there any way to do this without buffering all accounting to disk and then filtering all accounting multiple times? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Joe Maimon wrote: Certain systems need copies of accounting data, but I only want to send a subset of accounting to the appropriate system. I dont want to change the way the server updates the sql accounting and local detail files. If you need *multiple* copies, then the detail write/reader is the way to go. I would suggest writing one detail log per destination. Then, when the detail file is read, do the filtering *there*. That ensures that the filtering for one destination doesn't affect the filtering for another destination. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Joe Maimon wrote: Certain systems need copies of accounting data, but I only want to send a subset of accounting to the appropriate system. I dont want to change the way the server updates the sql accounting and local detail files. If you need *multiple* copies, then the detail write/reader is the way to go. I would suggest writing one detail log per destination. Then, when the detail file is read, do the filtering *there*. That ensures that the filtering for one destination doesn't affect the filtering for another destination. So I write all accounting coming into the server duplicated into multiple detail files, one per potential destination. Then I have a reader which while reading filters only what I want to send to the destination. I have multiple readers. I think I get it, I would use acct_users and Reject what I dont want? Wouldnt I need a customized files to use a different acct_users per destination? Is there any way to do this without buffering all accounting to disk and then filtering all accounting multiple times? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Joe Maimon wrote: Certain systems need copies of accounting data, but I only want to send a subset of accounting to the appropriate system. I dont want to change the way the server updates the sql accounting and local detail files. If you need *multiple* copies, then the detail write/reader is the way to go. I would suggest writing one detail log per destination. Then, when the detail file is read, do the filtering *there*. That ensures that the filtering for one destination doesn't affect the filtering for another destination. Alan DeKok. Apparently I dont get it yet. Forgive me for being slow. So I define multiple home servers as the potential destinations for the copied accounting in proxy.conf How do I specify where to send the accounting in the detail-reader? Either of these? ATTRIBUTE Proxy-To-Realm 1048string ATTRIBUTE Replicate-To-Realm 1049string I wasnt planning to create a realm, do I need to? Thank you very much. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Joe Maimon wrote: So I define multiple home servers as the potential destinations for the copied accounting in proxy.conf Yes. AND you write to multiple detail files. How do I specify where to send the accounting in the detail-reader? Either of these? ATTRIBUTE Proxy-To-Realm 1048string Proxy-To-Realm. ATTRIBUTE Replicate-To-Realm 1049string This doesn't do anything. I wasnt planning to create a realm, do I need to? Right now, yes. In 2.1.7, you probably won't have to. You can give the realms any name you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting copying to specific systems
Certain systems need copies of accounting data, but I only want to send a subset of accounting to the appropriate system. I dont want to change the way the server updates the sql accounting and local detail files. I want something like this acct.hints DEFAULT Client-IP-Address == 1.2.3.4, Hint := FILTER-1 DEFAULT Client-IP-Address == 1.2.3.5, Hint := FILTER-1 DEFAULT Client-IP-Address == 5.6.7.8, Hint := FILTER-2 DEFAULT Client-IP-Address == 5.6.7.9, Hint := FILTER-2 acct.users DEFAULT Hint == FILTER-1, Copy-To := filter-1-system DEFAULT Hint == FILTER-2, Copy-To := filter-2-system Where both filter-1-system and filter-2-system are defined in proxy.conf and obviously Copy-To is wishful thinking. Am I headed in the right direction or is there a better way to do this? Thanks, Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
