Setting up a virtual server to handle incoming proxied requests
Hi again all :)
I have a primary and secondary server, each of which receive accounting
requests from multiple NAS servers.
Both my servers proxy these requests to each other to stay in sync.
I would like to setup a virtual server on my secondary to handle the
incoming proxy requests from the primary.
My secondary is running freeradius 2.1.3
I have read the sites-available/README documentation and have a few
questions.
First I include my current configuration for your consideration.
radiusd.conf
listen {
ipaddr = *
port = 0# Use /etc/services for ports
type = auth
}
listen {
ipaddr = *
port = 0# Use /etc/services for ports
type = acct
}
proxy_requests = yes
$INCLUDE proxy.conf
...
clients.conf
Nothing
proxy.conf
--
home_server copy-acct-to-home-server {
type = acct
ipaddr = primary_server_ip
port = 1813
secret = shared_key
response_window = 20
zombie_period = 40
revive_interval = 120
}
home_server_pool my_acct_failover {
home_server = copy-acct-to-home-server
}
realm DEFAULT {
acct_pool = my_acct_failover
nostrip
}
Currently my clients reside in the nas table in my database.
With the above config I have listen sections for auth and acct.
Do I understand the documentation correctly if I add this to the above
existing config:
client primary_server {
ipaddr= primary_server_ip
secret= shared_secret
require_message_authenticator = no
nastype = other
virtual_server= requests_from_primary
}
server requests_from_primary {
listen {
ipaddr = *
port = 0
type = acct
}
proxy_requests = no # Can this be done here? If not how would I
disable proxying for this virtual server?
# Do I just exclude my detail-radrelay in the
accounting section?
# Since this is just processing accounting requests do I still need
to define the authorize, authenticate & other sections?
preacct {
preprocess
acct_unique
}
accounting {
detail
sql
# detail-radrelay - Exclude this so that these requests are not
proxied?
}
}
I *think* Im on the right track but would appreciate any pointers :)
Many thanks
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up a virtual server to handle incoming proxied requests
> With the above config I have listen sections for auth and acct.
> Do I understand the documentation correctly if I add this to the above
> existing config:
>
>
> client primary_server {
> ipaddr= primary_server_ip
> secret= shared_secret
> require_message_authenticator = no
> nastype = other
> virtual_server= requests_from_primary
> }
>
OK.
>
> server requests_from_primary {
> listen {
> ipaddr = *
> port = 0
> type = acct
> }
>
> proxy_requests = no # Can this be done here?
No.
> # Do I just exclude my detail-radrelay in the
> accounting section?
Yes.
> # Since this is just processing accounting requests do I still need
> to define the authorize, authenticate & other sections?
No. It will just be getting accounting requests.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up a virtual server to handle incoming proxied requests
Patric wrote:
> server requests_from_primary {
>listen {
>ipaddr = *
>port = 0
>type = acct
>}
Delete that listen section. It conflicts with the global one.
The global one will accept packets on the accounting port, IP *, and
will look up the client. If the client is the primary, it will run the
"requests_from_primary" virtual server.
You do NOT need to put another "listen" section in the virtual server.
>proxy_requests = no # Can this be done here? If not how would I
> disable proxying for this virtual server?
You don't "disable" proxying. You just configure it so that it
doesn't proxy.
> # Do I just exclude my detail-radrelay in the
> accounting section?
Yes.
># Since this is just processing accounting requests do I still need
> to define the authorize, authenticate & other sections?
No.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up a virtual server to handle incoming proxied requests
Ivan Kalik wrote:
With the above config I have listen sections for auth and acct.
Do I understand the documentation correctly if I add this to the above
existing config:
client primary_server {
ipaddr= primary_server_ip
secret= shared_secret
require_message_authenticator = no
nastype = other
virtual_server= requests_from_primary
}
OK.
Thanks for your response Ivan & Alan, Im finally starting to understand
how they fit together :)
I started implementing this but ran into a snag Im not sure which is the
correct way to get around.
As I mentioned all my clients reside in the nas table of my database,
and my sql.conf has readclients = yes to load them from there.
When I attempt to define the above client so that I can set the
virtual_server parameter, I get the following error (obviously...)
rlm_sql (sql): Adding client primary_server_ip (Primary, server=)
to clients list
Failed to add duplicate client Primary
rlm_sql (sql): Failed to add client primary_server_ip (Primary) to
clients list. Maybe there's a duplicate?
Failed to load clients from SQL.
To resolve this should I now remove the primary server from my nas table
as I am defining it in the clients.conf ? Or is there a way to leave it
in the nas table and assign a virtual_server directive to it?
Thanks for the time and patience
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up a virtual server to handle incoming proxied requests
Alan DeKok wrote:
Patric wrote:
server requests_from_primary {
listen {
ipaddr = *
port = 0
type = acct
}
Delete that listen section. It conflicts with the global one.
The global one will accept packets on the accounting port, IP *, and
will look up the client. If the client is the primary, it will run the
"requests_from_primary" virtual server.
I see I see, so I would only add a listen section if I were listening on
a different interface or port?
proxy_requests = no # Can this be done here? If not how would I
disable proxying for this virtual server?
You don't "disable" proxying. You just configure it so that it
doesn't proxy.
I think I get the proxying now :) proxy_requests = yes just makes the
server process the detail-combined log right?
So by not writing to the detail-combined you are effectively disabling
proxying to a specified client.
Thanks guys!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up a virtual server to handle incoming proxied requests
> To resolve this should I now remove the primary server from my nas table > as I am defining it in the clients.conf ? Yes, pick one. > Or is there a way to leave it > in the nas table and assign a virtual_server directive to it? Yes. In 2.1.7 schema supports virtual servers but that line is commented out in nas.sql by default. You can add (and use) the server column. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up a virtual server to handle incoming proxied requests
Ivan Kalik wrote: To resolve this should I now remove the primary server from my nas table as I am defining it in the clients.conf ? Yes, pick one. Or is there a way to leave it in the nas table and assign a virtual_server directive to it? Yes. In 2.1.7 schema supports virtual servers but that line is commented out in nas.sql by default. You can add (and use) the server column. Thanks so much for your help Ivan & Alan, I believe I have it running correctly now :D According to the debug info when I get an accounting request from my primary it adds it to the detail file, runs the sql update and returns a response - 100% what I was trying to achieve! Have a great weekend! Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up a virtual server to handle incoming proxied requests
Patric wrote: > I see I see, so I would only add a listen section if I were listening on > a different interface or port? Yes. > I think I get the proxying now :) proxy_requests = yes just makes the > server process the detail-combined log right? No. The listen section that references it tells the server to process it. The detail module that references it tells the server to write the data which will be processed later by the listen section. > So by not writing to the detail-combined you are effectively disabling > proxying to a specified client. No. By not setting Proxy-To-Ream in the virtual server, you are telling it to not proxy the requests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up a virtual server to handle incoming proxied requests
Alan DeKok wrote: Patric wrote: I see I see, so I would only add a listen section if I were listening on a different interface or port? Yes. I think I get the proxying now :) proxy_requests = yes just makes the server process the detail-combined log right? No. The listen section that references it tells the server to process it. The detail module that references it tells the server to write the data which will be processed later by the listen section. So by not writing to the detail-combined you are effectively disabling proxying to a specified client. No. By not setting Proxy-To-Ream in the virtual server, you are telling it to not proxy the requests. Ah ok, thanks for the clarification :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
