Re: Status-Server and 3Com Total Control problems
"Miquel van Smoorenburg" <[EMAIL PROTECTED]> wrote: > Some clients use periodic status-server pinging to see if the > server is up. http://www.freeradius.org/rfc/rfc2865.html#Keep-Alives They're bad. > That is useful with a server that has both local users and functions > as a proxy. If the server doesn't keep much local proxy state > (like CistronRad) it might never reply to the client for requests > that are proxied if the remote server is down. > > In that case, the client might start to think the server is down. FreeRADIUS keeps a bit more state, because it's easier to have shared memory with threaded processes, athan with forked ones. So if FreeRADIUS doesn't hear from the remote server withing a configurable timeout, it complains, and sends a Reject to the NAS. > You could show some statistics, I guess. Perhaps only if you send the > right username/password. Sort of a poor mans snmp. Isn't that what SNMP is for? :) > Anyway, it's only a few lines, very trivial. And Cistron does it ;) > For the exact reason outlined above, btw Stolen shamelessy, with edits. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Status-Server and 3Com Total Control problems
In article <[EMAIL PROTECTED]>, Alan DeKok <[EMAIL PROTECTED]> wrote: > FreeRADIUS doesn't do Status-Server messages. I've never seen a >good reason for them. Some clients use periodic status-server pinging to see if the server is up. That is useful with a server that has both local users and functions as a proxy. If the server doesn't keep much local proxy state (like CistronRad) it might never reply to the client for requests that are proxied if the remote server is down. In that case, the client might start to think the server is down. > I'm not *opposed* to adding Status-Server support to FreeRADIUS, but >I am opposed to adding functionality unless there's a real need for it. You could show some statistics, I guess. Perhaps only if you send the right username/password. Sort of a poor mans snmp. Anyway, it's only a few lines, very trivial. And Cistron does it ;) For the exact reason outlined above, btw # echo 'User-Name="foo"' | radclient radius 12 secret Sending request to server radius, port 1645. radrecv: Packet from host 62.216.13.67 code=2, id=13, length=55 Reply-Message = "Cistron Radius up 128 days, 07:14" Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Status-Server and 3Com Total Control problems
Thanks for the reply Alan. > I'm not *opposed* to adding Status-Server support to FreeRADIUS, but > I am opposed to adding functionality unless there's a real need for it. > Is there a straight forward way that I can add Status-Server support into FreeRadius 0.7.1 to see if it will correct the problems we're having? Sorry, but I'm not much of a programmer, more of a perl scripter :-) Thanks, --Josh Snyder NetNITCO Systems Administration - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Status-Server and 3Com Total Control problems
NetNITCO Systems Administration <[EMAIL PROTECTED]> wrote: > We converted our radius servers from merit/ldap to freeradius/mysql. That's a good first step. I have nothing good to say about Merit. > We had setup a test environment and everything worked fine in all of > the tests and under much load. However, after several hours of > perfect operation, all of our freeradius servers now receive the > following from our Access Router Cards: > rad_recv: Status-Server packet from host 216.176.146.2:1645, id=252, > length=20 Ignoring request from client 216.176.146.2:1645 with > unknown code 12 FreeRADIUS doesn't do Status-Server messages. I've never seen a good reason for them. If the 3Com boxes stop authenticating users because FreeRADIUS doesn't support Status-Server, then the 3com boxes are *horribly* broken. I've never heard of this before, so it might be a local config issue. I'm not *opposed* to adding Status-Server support to FreeRADIUS, but I am opposed to adding functionality unless there's a real need for it. > The problem is that now the newly upgraded authentication servers > are unable to authenticate any user from any of our Total Control > chassis and for so me reason, the original Merit/LDAP servers now > receive the following in ther logs: If Merit is broken, I cant help you there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Status-Server and 3Com Total Control problems
We converted our radius servers from merit/ldap to freeradius/mysql. We had setup a test environment and everything worked fine in all of the tests and under much load. However, after several hours of perfect operation, all of our freeradius servers now receive the following from our Access Router Cards: rad_recv: Status-Server packet from host 216.176.146.2:1645, id=252, length=20 Ignoring request from client 216.176.146.2:1645 with unknown code 12 Which then the accounting data shows UserName "unauthenticated" attempting to authenticate which I believe is some sort of generic 3Com response or something. The problem is that now the newly upgraded authentication servers are unable to authenticate any user from any of our Total Control chassis and for some reason, the original Merit/LDAP servers now receive the following in ther logs: Thu Oct 17 10:00:30 2002: get_radrequest: NO a/v pairs from 216.176.146.2 [1645] - status-server (type 12), len = 20 Thu Oct 17 10:00:30 2002: Hex dump at 0x0x8080f88/0 for 20 bytes Thu Oct 17 10:00:30 2002: 0x0x8080f88: 0x| 0CFF0014 82E9D126 7859B64D E524E348| |...&xY.M.$.H| Thu Oct 17 10:00:30 2002: 0x0x8080f98: 0x0010| C3E52E07 | || Thu Oct 17 10:00:30 2002: child_end: DNS update finished This appears to be the same problem, but just a different error message structure. Now, nobody can authenticate from the Merit/LDAP servers either. I looked at the list archive but I didn't really find anything that I thought offered a direct resolution to my problem. Any assistance would be greatly appreciated! Thanks, --Josh Snyder NetNITCO Systems Administration - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html