Matt Ruzicka wrote:
We're in process of rebuilding a couple web filter boxes on Centos 4.5 running
Squid 2.5.STABLE14 (latest from yum) using squid_radius_auth 1.09 for
authentication with the following config:
auth_param basic program /usr/local/squid/libexec/squid_radius_auth -f
/usr/local/squid/etc/squid_radius_auth.conf
auth_param basic children 30
auth_param basic realm Filtered Web Service
auth_param basic credentialsttl 4 hours
auth_param basic casesensitive off
We're seeing an odd issue where radius authentication will start failing
sometime after the machine has been in production for a variable amount of
time. The issue appears to arise only after at least 6 hours, but sometimes as
long as 10 or 11 hours. If the machine is not in production and is only
receiving test authentications the issues does not appear to arise.
The failures show up as a long lag after correct credentials are issued and an
eventual re-request for credentials. When this happens the squid access logs
show denies for web traffic from these IPs passing account names that had
previously authenticated. This lag is the same behavior we see if the radius
server is unreachable, but I can log into the machine and manually run
squid_radius_auth from the command line and authenticate without issue while
the problem is occurring. During these failures we do no see the
authentication requests hitting our Radius servers.
However, if I issue a reconfig the problem goes away for another 6+ hours or so.
I feels like the child processes are wedging somehow, but I'm not sure how or
why.
Additionally the old filter servers are running older versions of CentOS, Squid
and v106 of squid_radius_auth and they are not seeing the issue.
* Has anyone else seen similar behavior?
Yes. See
http://www.squid-cache.org/mail-archive/squid-users/200605/0494.html
Granted, this issue was appearing with Squid-2.5-Stable13 and
squid_radius_auth 1.08.
As stated, updating to Squid 2.6 is recommended. You can compile the
Fedora SRPM, or the CentOS5 SRPM (which is based on Squid-2.6Stable6) or
grab the source, use squid -V on your current install and use that as a
guide for compiling. The CentOSPlus repository doesn't seem to have an
updated RPM for Squid.
* Is there any additional logging or debugging I can run to hopefully see what
is happening?
From http://www.squid-cache.org/mail-archive/squid-users/200501/0554.html:
debug_options ALL,1 29,9 84,9
then see cache.log for details on the auth progress.
Be warned that your logs will contain usernames+passwords in plain text
when doing this.
For now we have put in place an hourly cron to issue the reconfig, but this is
a pretty cludgy work around.
Thank you in advance.
Matt Ruzicka
Sr. Systems Engineer
[EMAIL PROTECTED]
www.cisp.com
www.yocolo.com
419.724.5300 : tel
419.867.6913 : fax
Chris
