Re: no logging => reject?
Arran Cudbard-Bell wrote: > Whats slightly worrying about using rlm_sql is if for any reason a table > is locked, > the SQL request will block until the table is unlocked. In blocking it > appears to block the entire FR server ! > Everything just stops until the table is unlocked, and the request is > satisfied ! That appears to be the SQL library, and interaction with threads. It may suspend the entire process when a thread blocks... which isn't nice. The only way to fix this is to run the RADIUS server and SQL queries in separate processes... which is complicated. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no logging => reject?
Norbert Wegener wrote: > I am using a recent pre-2, authentication via a mysql database. > In post-auth I have a sql module, that reports accept/reject to a > another mysql database. > When this database is not available, the user is rejected, although I > get Auth-Type = Accept before. > Is this a desired behaviour, bug or feature? It's desired. The server failed to do something during authentication, so the authentication fails. If you want to over-ride the failure, see "man unlang", which explains how to change the return codes. e.g. ... sql_postauth { fail = ok } ... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no logging => reject?
Arran Cudbard-Bell wrote: Norbert Wegener wrote: I am using a recent pre-2, authentication via a mysql database. In post-auth I have a sql module, that reports accept/reject to a another mysql database. When this database is not available, the user is rejected, although I get Auth-Type = Accept before. Is this a desired behaviour, bug or feature? Generally, failure of a module will result in failure of the request. See doc/configurable_failover for info how to control this. I would strongly recommend in your post-auth section doing what we did: post-auth { redundant { sql detail } } ...that way, if sql actually fails, you just dump to a file. You can monitor the file any number of ways to see how frequently (or not) this happens. However as Arran points out, if the module *blocks* rather than fails, you may suffer a potentially arbitrarily long wait. If your SQL server is routinely blocking then it is too slow and you need to fix that, however if you want complete insurance against e.g. unforseeable faults, I would use rlm_sql_log. I was originally somewhat sceptical of it, however we recently moved a ~1M auths/day server from doing direct SQL writes to using sql_log in order to be tolerant of SQL server drops, and I'm much (much!) happier as a result. What we actually do is this: * a single central SQL server; two databases: * radcheck - contains the SQL radcheck/reply & group tables * radacct - contains the radacct & radpostauth tables[1] * 2 radius servers, each with a local read-only SQL replica of the radcheck database; the radius processes are configured to read (do lookups against) their local SQL, and write to the sql_log file * copies of radsqlrelay pushing the accounting data to the central server The time lag during normal loads is: * central radcheck -> server radchecks: 0-10 seconds (postgres & slony) * server sql-relay -> central radacct: 0-10 seconds (radsqlrelay) During extended outages (such as the arranged maintenance in our datacentre this weekend) the radius servers continue to chug away and log to relay files, then replication & radsqlrelay spring back to life and catch up later. [1] One minor note - as per my recent post, the sql_log module cannot do the "try update / except insert" technique that the sql module uses, so I modified things slightly; I write the sql_log updates to a *2nd* table, and use a TRIGGER on INSERT to update/insert the main radacct table. It works very well. As Alan pointed out in reply to my post, you could also run plain old radrelay and an accounting-only radius server on the central database server, however for various boring reasons I won't go into, that wasn't an option for us. HTH - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no logging => reject?
Norbert Wegener wrote: I am using a recent pre-2, authentication via a mysql database. In post-auth I have a sql module, that reports accept/reject to a another mysql database. When this database is not available, the user is rejected, although I get Auth-Type = Accept before. Is this a desired behaviour, bug or feature? ... rad_check_password: Auth-Type = Accept, accepting the user Login OK: [7989] (from client 149.246.185.169 port 1812) +- entering group post-auth ++? if ("%{User-Name}" =~ /.net/i || "%{User-Name}" =~ /@/ ) expand: %{User-Name} -> 7989 ? Evaluating ("%{User-Name}" =~ /.net/i) -> FALSE expand: %{User-Name} -> 7989 Evaluating ("%{User-Name}" =~ /@/) -> FALSE ++? if ("%{User-Name}" =~ /.net/i || "%{User-Name}" =~ /@/ ) -> FALSE expand: //var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> //var/log/radius/radacct/149.246.185.169/reply-detail-20071218 rlm_detail: //var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to //var/log/radius/radacct/149.246.185.169/reply-detail-20071218 expand: %t -> Tue Dec 18 15:29:07 2007 ++[reply_log] returns ok rlm_sql (sql): Processing sql_postauth expand: %{User-Name} -> 7989 rlm_sql (sql): sql_set_user escaped user --> '7989' expand: INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '%{User-Name}', '%{User-Password}', '%{reply:Packet-Type}', NOW(),'%{NAS-IP-Address}') -> INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '7989', '7989', 'Access-Accept', NOW(),'139.25.153.222') rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '7989', '7989', 'Access-Accept', NOW(),'139.25.153.222') rlm_sql (sql): Ignoring unconnected handle 4.. rlm_sql (sql): Ignoring unconnected handle 3.. rlm_sql (sql): Ignoring unconnected handle 2.. rlm_sql (sql): Ignoring unconnected handle 1.. rlm_sql (sql): Ignoring unconnected handle 0.. rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0 ++[sql] returns fail Found Post-Auth-Type Reject +- entering group REJECT rlm_sql (sql): Processing sql_postauth expand: %{User-Name} -> 7989 rlm_sql (sql): sql_set_user escaped user --> '7989' expand: INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '%{User-Name}', '%{User-Password}', '%{reply:Packet-Type}', NOW(),'%{NAS-IP-Address}') -> INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '7989', '7989', 'Access-Reject', NOW(),'139.25.153.222') rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '7989', '7989', 'Access-Reject', NOW(),'139.25.153.222') rlm_sql (sql): Ignoring unconnected handle 4.. rlm_sql (sql): Ignoring unconnected handle 3.. rlm_sql (sql): Ignoring unconnected handle 2.. rlm_sql (sql): Ignoring unconnected handle 1.. rlm_sql (sql): Ignoring unconnected handle 0.. rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0 ++[sql] returns fail Sending Access-Reject of id 51 to 149.246.185.169 port 32833 Finished request 0. Going to the next request Waking up in 0.9 seconds. Waking up in 4.0 seconds. Cleaning up request 0 ID 51 with timestamp +1 Ready to process requests. Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Feature. Whats slightly worrying about using rlm_sql is if for any reason a table is locked, the SQL request will block until the table is unlocked. In blocking it appears to block the entire FR server ! Everything just stops until the table is unlocked, and the request is satisfied ! -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no logging => reject?
I am using a recent pre-2, authentication via a mysql database. In post-auth I have a sql module, that reports accept/reject to a another mysql database. When this database is not available, the user is rejected, although I get Auth-Type = Accept before. Is this a desired behaviour, bug or feature? ... rad_check_password: Auth-Type = Accept, accepting the user Login OK: [7989] (from client 149.246.185.169 port 1812) +- entering group post-auth ++? if ("%{User-Name}" =~ /.net/i || "%{User-Name}" =~ /@/ ) expand: %{User-Name} -> 7989 ? Evaluating ("%{User-Name}" =~ /.net/i) -> FALSE expand: %{User-Name} -> 7989 Evaluating ("%{User-Name}" =~ /@/) -> FALSE ++? if ("%{User-Name}" =~ /.net/i || "%{User-Name}" =~ /@/ ) -> FALSE expand: //var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> //var/log/radius/radacct/149.246.185.169/reply-detail-20071218 rlm_detail: //var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to //var/log/radius/radacct/149.246.185.169/reply-detail-20071218 expand: %t -> Tue Dec 18 15:29:07 2007 ++[reply_log] returns ok rlm_sql (sql): Processing sql_postauth expand: %{User-Name} -> 7989 rlm_sql (sql): sql_set_user escaped user --> '7989' expand: INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '%{User-Name}', '%{User-Password}', '%{reply:Packet-Type}', NOW(),'%{NAS-IP-Address}') -> INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '7989', '7989', 'Access-Accept', NOW(),'139.25.153.222') rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '7989', '7989', 'Access-Accept', NOW(),'139.25.153.222') rlm_sql (sql): Ignoring unconnected handle 4.. rlm_sql (sql): Ignoring unconnected handle 3.. rlm_sql (sql): Ignoring unconnected handle 2.. rlm_sql (sql): Ignoring unconnected handle 1.. rlm_sql (sql): Ignoring unconnected handle 0.. rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0 ++[sql] returns fail Found Post-Auth-Type Reject +- entering group REJECT rlm_sql (sql): Processing sql_postauth expand: %{User-Name} -> 7989 rlm_sql (sql): sql_set_user escaped user --> '7989' expand: INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '%{User-Name}', '%{User-Password}', '%{reply:Packet-Type}', NOW(),'%{NAS-IP-Address}') -> INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '7989', '7989', 'Access-Reject', NOW(),'139.25.153.222') rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '7989', '7989', 'Access-Reject', NOW(),'139.25.153.222') rlm_sql (sql): Ignoring unconnected handle 4.. rlm_sql (sql): Ignoring unconnected handle 3.. rlm_sql (sql): Ignoring unconnected handle 2.. rlm_sql (sql): Ignoring unconnected handle 1.. rlm_sql (sql): Ignoring unconnected handle 0.. rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0 ++[sql] returns fail Sending Access-Reject of id 51 to 149.246.185.169 port 32833 Finished request 0. Going to the next request Waking up in 0.9 seconds. Waking up in 4.0 seconds. Cleaning up request 0 ID 51 with timestamp +1 Ready to process requests. Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html