Proxy to multiple servers in FR 2.1.7
Hi again all :)
I am attempting to proxy all accounting packets to 2 servers.
In my proxy.conf I am using a default realm.
realm DEFAULT {
acct_pool = my_acct_failover
nostrip
}
I create a home_server entry for each server, and add them to the
home_server_pool for that realm:
home_server copy-acct-to-home-server {
}
home_server copy-acct-to-home-server2 {
}
home_server_pool my_acct_failover {
home_server = copy-acct-to-home-server
home_server = copy-acct-to-home-server2
}
If I have site-enable/copy-acct-to-home-server it then appears to work
in a fail-over method, where it will send to the first server until it
is not reachable, then it sends to the second server.
Is there a way I can configure this to send to both at once? Do I need a
second site-enable/copy-acct-to-home-server1 file that reads from a
different detail file?
I am using the default realm so I dont know how to setup a second
home_server_pool either...
Any help is much appreciated, Im going in circles :)
Many thanks
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy to multiple servers in FR 2.1.7
Re: "Do I need a second site-enable/copy-acct-to-home-server1 file that
reads from a different detail file?"
As far as I can tell (and have done) - Yes, you do.
Cheers,
-craig
- Original Message -
From: "Patric"
To: "FreeRadius users mailing list"
Sent: Thursday, November 12, 2009 9:50 AM
Subject: Proxy to multiple servers in FR 2.1.7
Hi again all :)
I am attempting to proxy all accounting packets to 2 servers.
In my proxy.conf I am using a default realm.
realm DEFAULT {
acct_pool = my_acct_failover
nostrip
}
I create a home_server entry for each server, and add them to the
home_server_pool for that realm:
home_server copy-acct-to-home-server {
}
home_server copy-acct-to-home-server2 {
}
home_server_pool my_acct_failover {
home_server = copy-acct-to-home-server
home_server = copy-acct-to-home-server2
}
If I have site-enable/copy-acct-to-home-server it then appears to work in
a fail-over method, where it will send to the first server until it is not
reachable, then it sends to the second server.
Is there a way I can configure this to send to both at once? Do I need a
second site-enable/copy-acct-to-home-server1 file that reads from a
different detail file?
I am using the default realm so I dont know how to setup a second
home_server_pool either...
Any help is much appreciated, Im going in circles :)
Many thanks
Patric
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__ Information from ESET Smart Security, version of virus
signature database 4600 (20091112) __
The message was checked by ESET Smart Security.
http://www.eset.com
__ Information from ESET Smart Security, version of virus signature
database 4600 (20091112) __
The message was checked by ESET Smart Security.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy to multiple servers in FR 2.1.7
ip_address_of_server_A port 1813
User-Name = "u...@realm"
rad_recv: Accounting-Response packet from host ip_address_of_server_A
port 1813, id=121, length=32
Proxy-State = 0x313438
Proxy-State = 0x3137383533
Ok so sending to server A worked correctly. Now:
Fri Nov 13 09:19:59 2009 : Debug: Waking up in 0.3 seconds.
Fri Nov 13 09:19:59 2009 : Debug: Polling for detail file
/var/log/radius/radacct/detail-combined2
Fri Nov 13 09:19:59 2009 : Debug: detail_recv: Renaming
/var/log/radius/radacct/detail-combined2 ->
/var/log/radius/radacct/detail-combined2.work
detail_recv: Read packet from /var/log/radius/radacct/detail-combined2.work
User-Name = "u...@realm"
Fri Nov 13 09:19:59 2009 : Info: server copy-acct-to-server-B {
Fri Nov 13 09:19:59 2009 : Info: +- entering group preacct {...}
Fri Nov 13 09:19:59 2009 : Info: [suffix] Looking up realm "realm" for
User-Name = "u...@realm"
Fri Nov 13 09:19:59 2009 : Info: [suffix] Found realm "DEFAULT"
Fri Nov 13 09:19:59 2009 : Info: [suffix] Adding Realm = "DEFAULT"
Fri Nov 13 09:19:59 2009 : Info: [suffix] Proxying request from user
user to realm DEFAULT
Fri Nov 13 09:19:59 2009 : Info: [suffix] Preparing to proxy accounting
request to realm "DEFAULT"
Fri Nov 13 09:19:59 2009 : Info: ++[suffix] returns updated
Fri Nov 13 09:19:59 2009 : Info: +- entering group accounting {...}
Fri Nov 13 09:19:59 2009 : Info: ++[ok] returns ok
Fri Nov 13 09:19:59 2009 : Info: } # server copy-acct-to-server-B
Fri Nov 13 09:19:59 2009 : Info: WARNING: Empty section. Using
default return values.
Sending Accounting-Request of id 121 to ip_address_of_server_A port 1813
You can see from the line above that it is sending this request to
server A as well. This is where Im getting stuck :(
Any pointers, suggestions, examples appreciated as always.
Thanks again,
Patric
Craig Campbell wrote:
Re: "Do I need a second site-enable/copy-acct-to-home-server1 file
that reads from a different detail file?"
As far as I can tell (and have done) - Yes, you do.
Cheers,
-craig
- Original Message - From: "Patric"
To: "FreeRadius users mailing list"
Sent: Thursday, November 12, 2009 9:50 AM
Subject: Proxy to multiple servers in FR 2.1.7
Hi again all :)
I am attempting to proxy all accounting packets to 2 servers.
In my proxy.conf I am using a default realm.
realm DEFAULT {
acct_pool = my_acct_failover
nostrip
}
I create a home_server entry for each server, and add them to the
home_server_pool for that realm:
home_server copy-acct-to-home-server {
}
home_server copy-acct-to-home-server2 {
}
home_server_pool my_acct_failover {
home_server = copy-acct-to-home-server
home_server = copy-acct-to-home-server2
}
If I have site-enable/copy-acct-to-home-server it then appears to
work in a fail-over method, where it will send to the first server
until it is not reachable, then it sends to the second server.
Is there a way I can configure this to send to both at once? Do I
need a second site-enable/copy-acct-to-home-server1 file that reads
from a different detail file?
I am using the default realm so I dont know how to setup a second
home_server_pool either...
Any help is much appreciated, Im going in circles :)
Many thanks
Patric
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__ Information from ESET Smart Security, version of virus
signature database 4600 (20091112) __
The message was checked by ESET Smart Security.
http://www.eset.com
__ Information from ESET Smart Security, version of virus
signature database 4600 (20091112) __
The message was checked by ESET Smart Security.
http://www.eset.com
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy to multiple servers in FR 2.1.7
Patric wrote:
> Thanks for you response. I have tried to implement this but Im going
> wrong somewhere. Below I will show my configuration, then the debug that
> shows what the server is doing.
...
> sites-enabled/copy-acct-to-home-server:
> ---
>
> server copy-acct-to-home-server {
OK, that's fine.
> So now there is already a home_server_pool assigned to the default
> realm, but I continue and create a home_server entry for server B
...
> sites-enabled/copy-acct-to-server-B:
> ---
>
> server copy-acct-to-home-server {
Uh... you have TWO virtual servers with the same name. This isn't
allowed. And this config isn't the same as what's shown in the debug log.
Can you explain why you're posting WRONG configurations? It's not
like we can't notice.
> Now I fire up radiusd in debug mode and send a test packet to the server
> to see what it does. As the debug shows, it gets the packet, writes it
> to the detail-combined2. Then the listener copy-acct-to-server-B picks
> up the detail-combined2 and processes it, but instead of sending to
> server B its sending to server A
Because the config you posted isn't the config you're running.
> detail_recv: Read packet from /var/log/radius/radacct/detail-combined.work
>User-Name = "u...@realm"
> Fri Nov 13 09:19:59 2009 : Info: server copy-acct-to-server-A {
> Fri Nov 13 09:19:59 2009 : Info: +- entering group preacct {...}
> Fri Nov 13 09:19:59 2009 : Info: [suffix] Looking up realm "realm" for
> User-Name = "u...@realm"
Where did this come from? There's no "preacct" section in the config
you posted, and there's no "suffix" module, either.
...
> You can see from the line above that it is sending this request to
> server A as well. This is where Im getting stuck :(
Because that's what you told it to do. Your config is telling it to
proxy BOTH requests to the "DEFAULT" realm. And it does so. The debug
log clearly shows this.
If you want the requests to be proxied to a DIFFERENT location, you
will need to set the "Proxy-To-Realm" attribute manually. i.e.
server a {
preacct {
update control {
Proxy-To-Realm := "realm for home server A"
}
}
}
And do the same thing for B. And configure two realms, too.
Alan Dekok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy to multiple servers in FR 2.1.7
Hi Alan,
Thanks for responding,
So now there is already a home_server_pool assigned to the default
realm, but I continue and create a home_server entry for server B
...
sites-enabled/copy-acct-to-server-B:
---
server copy-acct-to-home-server {
Uh... you have TWO virtual servers with the same name. This isn't
allowed. And this config isn't the same as what's shown in the debug log.
Can you explain why you're posting WRONG configurations? It's not
like we can't notice.
Sorry, I didnt clarify properly - I _repeated_ my original
configuration, this time including the changes I had made.
So right now my entire proxy.conf looks as follows:
proxy server {
default_fallback = no
}
home_server copy-acct-to-server-A {
type = acct
ipaddr = server_A
port = 1813
secret = secret
}
home_server copy-acct-to-server-B {
type = acct
ipaddr = server_B
port = 1813
secret = secret
}
home_server_pool my_acct_failover {
home_server = copy-acct-to-server-A
}
realm DEFAULT {
acct_pool = my_acct_failover
nostrip
}
detail_recv: Read packet from /var/log/radius/radacct/detail-combined.work
User-Name = "u...@realm"
Fri Nov 13 09:19:59 2009 : Info: server copy-acct-to-server-A {
Fri Nov 13 09:19:59 2009 : Info: +- entering group preacct {...}
Fri Nov 13 09:19:59 2009 : Info: [suffix] Looking up realm "realm" for
User-Name = "u...@realm"
Where did this come from? There's no "preacct" section in the config
you posted, and there's no "suffix" module, either.
I had attempted to only include relevant sections of my configuration in
an attempt to keep it short and readable, but perhaps this has confused
the issue more than helped, my apologies.
You can see from the line above that it is sending this request to
server A as well. This is where Im getting stuck :(
Because that's what you told it to do. Your config is telling it to
proxy BOTH requests to the "DEFAULT" realm. And it does so. The debug
log clearly shows this.
If you want the requests to be proxied to a DIFFERENT location, you
will need to set the "Proxy-To-Realm" attribute manually. i.e.
server a {
preacct {
update control {
Proxy-To-Realm := "realm for home server A"
}
}
}
And do the same thing for B. And configure two realms, too.
YES! This is where Im getting lost :) Maybe I am misunderstanding the
word "realm".
All my requests are for a single realm, eg user@"patric.com". This was
the reason I used the "DEFAULT" realm... It occurs to me now that
perhaps in the config file the word "realm" does not refer to my domain,
but instead are names I give to servers A and B? Or am I completely off
track?
Ok, so is it possible for me to create a realm for server A and another
realm for server B, but both are processing "u...@patric.com" ? If so
please could you point me to some docs that might help me understand
how, clearly Im missing or not understanding something *bangs head on wall*
Thanks for your patience and time!
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy to multiple servers in FR 2.1.7
Hi again,
Alan DeKok wrote:
sites-enabled/copy-acct-to-server-B:
---
server copy-acct-to-home-server {
Uh... you have TWO virtual servers with the same name. This isn't
allowed. And this config isn't the same as what's shown in the debug log.
Can you explain why you're posting WRONG configurations? It's not
like we can't notice.
I saw which part you were referring to after I replied. This was an
error in copying and pasting, my apologies. Amazing how one mis-paste
can change the entire thing :)
Current configuration, just for clarity on my previous reply:
proxy.conf:
---
proxy server {
default_fallback = no
}
home_server copy-acct-to-server-A {
type = acct
ipaddr = server_A
port = 1813
secret = secret
}
home_server copy-acct-to-server-B {
type = acct
ipaddr = server_B
port = 1813
secret = secret
}
home_server_pool my_acct_failover {
home_server = copy-acct-to-server-A
}
realm DEFAULT {
acct_pool = my_acct_failover
nostrip
}
sites-enabled/copy-acct-to-server-A:
---
server copy-acct-to-server-A {
listen {
type = detail
filename = ${radacctdir}/detail-combined
load_factor = 10
retry_interval = 10
}
preacct {
suffix
}
accounting {
ok
}
}
sites-enabled/copy-acct-to-server-B:
server copy-acct-to-server-B {
listen {
type = detail
filename = ${radacctdir}/detail-combined2
load_factor = 10
retry_interval = 10
}
preacct {
suffix
}
accounting {
ok
}
}
So yes, I realise that because I am using ream DEFAULT everything is
matching to server A.
The accounting packet that is coming in will be for "u...@patric.com".
Then my question is how do I define realms for server A and server B so
they both process that packet?
Hope that clarifies a bit.
Thanks
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy to multiple servers in FR 2.1.7 [Solved]
Hi once again Alan,
I must apologize for my previous grasping at straws, it was not from
lack of trying, just lack of knowledge...
I have managed to figure it out thanks to your last comment
Alan DeKok wrote:
If you want the requests to be proxied to a DIFFERENT location, you
will need to set the "Proxy-To-Realm" attribute manually. i.e.
server a {
preacct {
update control {
Proxy-To-Realm := "realm for home server A"
}
}
}
And do the same thing for B. And configure two realms, too.
Since you are TELLING it what realm to use you can call your realm what
you like and you dont need to rely on your domain suffix...
Thanks to all the required fiddling I have a much better understanding
of the configuration files.
If anyone is stuck with this just drop me a mail, Ill be happy to help :)
Thanks again for your time and assistance Alan & Craig, appreciated as
always,
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
