Thanks everyone for the advice. I'm working on installing and testing 2.6 STABLE16. I'll see where we're at then, but I suspect things will be looking better.
Thanks. Matt Ruzicka Sr. Systems Engineer [EMAIL PROTECTED] www.cisp.com www.yocolo.com 419.724.5345 : tel 419.867.6913 : fax -----Original Message----- From: Chris Robertson [mailto:[EMAIL PROTECTED] Sent: Thursday, November 01, 2007 3:46 PM To: [email protected] Subject: Re: [squid-users] squid_radius_auth Matt Ruzicka wrote: > We're in process of rebuilding a couple web filter boxes on Centos 4.5 > running Squid 2.5.STABLE14 (latest from yum) using squid_radius_auth 1.09 for > authentication with the following config: > > auth_param basic program /usr/local/squid/libexec/squid_radius_auth -f > /usr/local/squid/etc/squid_radius_auth.conf > auth_param basic children 30 > auth_param basic realm Filtered Web Service > auth_param basic credentialsttl 4 hours > auth_param basic casesensitive off > > We're seeing an odd issue where radius authentication will start failing > sometime after the machine has been in production for a variable amount of > time. The issue appears to arise only after at least 6 hours, but sometimes > as long as 10 or 11 hours. If the machine is not in production and is only > receiving test authentications the issues does not appear to arise. > > The failures show up as a long lag after correct credentials are issued and > an eventual re-request for credentials. When this happens the squid access > logs show denies for web traffic from these IPs passing account names that > had previously authenticated. This lag is the same behavior we see if the > radius server is unreachable, but I can log into the machine and manually run > squid_radius_auth from the command line and authenticate without issue while > the problem is occurring. During these failures we do no see the > authentication requests hitting our Radius servers. > > However, if I issue a reconfig the problem goes away for another 6+ hours or > so. > > I feels like the child processes are wedging somehow, but I'm not sure how or > why. > > Additionally the old filter servers are running older versions of CentOS, > Squid and v106 of squid_radius_auth and they are not seeing the issue. > > * Has anyone else seen similar behavior? > Yes. See http://www.squid-cache.org/mail-archive/squid-users/200605/0494.html Granted, this issue was appearing with Squid-2.5-Stable13 and squid_radius_auth 1.08. As stated, updating to Squid 2.6 is recommended. You can compile the Fedora SRPM, or the CentOS5 SRPM (which is based on Squid-2.6Stable6) or grab the source, use squid -V on your current install and use that as a guide for compiling. The CentOSPlus repository doesn't seem to have an updated RPM for Squid. > * Is there any additional logging or debugging I can run to hopefully see > what is happening? > >From http://www.squid-cache.org/mail-archive/squid-users/200501/0554.html: debug_options ALL,1 29,9 84,9 then see cache.log for details on the auth progress. Be warned that your logs will contain usernames+passwords in plain text when doing this. > For now we have put in place an hourly cron to issue the reconfig, but this > is a pretty cludgy work around. > > Thank you in advance. > > Matt Ruzicka > Sr. Systems Engineer > [EMAIL PROTECTED] > www.cisp.com > www.yocolo.com > > 419.724.5300 : tel > 419.867.6913 : fax > Chris
