subject:"no logging = reject\?"

Re: no logging => reject?

2007-12-18 Thread Alan DeKok

Arran Cudbard-Bell wrote:
> Whats slightly worrying about using rlm_sql is if for any reason a table
> is locked,
> the SQL request will block until the table is unlocked. In blocking it
> appears to block the entire FR server !
> Everything just stops until the table is unlocked, and the request is
> satisfied !

  That appears to be the SQL library, and interaction with threads.  It
may suspend the entire process when a thread blocks... which isn't nice.

  The only way to fix this is to run the RADIUS server and SQL queries
in separate processes... which is complicated.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: no logging => reject?

2007-12-18 Thread Alan DeKok

Norbert Wegener wrote:
> I am using a recent pre-2, authentication via a mysql database.
> In post-auth I have a  sql module, that reports accept/reject to a
> another mysql database.
> When this database is not available, the user is rejected, although  I
> get Auth-Type = Accept before.
> Is this a desired behaviour, bug or feature?

  It's desired.  The server failed to do something during
authentication, so the authentication fails.

  If you want to over-ride the failure, see "man unlang", which explains
how to change the return codes.

  e.g.

  ...
  sql_postauth {
fail = ok
  }
  ...

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: no logging => reject?

2007-12-18 Thread Phil Mayers


Arran Cudbard-Bell wrote:

Norbert Wegener wrote:

I am using a recent pre-2, authentication via a mysql database.
In post-auth I have a  sql module, that reports accept/reject to a 
another mysql database.
When this database is not available, the user is rejected, although  I 
get Auth-Type = Accept before.

Is this a desired behaviour, bug or feature?


Generally, failure of a module will result in failure of the request. 
See doc/configurable_failover for info how to control this.


I would strongly recommend in your post-auth section doing what we did:

post-auth {
  redundant {
sql
detail
  }
}

...that way, if sql actually fails, you just dump to a file. You can 
monitor the file any number of ways to see how frequently (or not) this 
happens.


However as Arran points out, if the module *blocks* rather than fails, 
you may suffer a potentially arbitrarily long wait.


If your SQL server is routinely blocking then it is too slow and you 
need to fix that, however if you want complete insurance against e.g. 
unforseeable faults, I would use rlm_sql_log.


I was originally somewhat sceptical of it, however we recently moved a 
~1M auths/day server from doing direct SQL writes to using sql_log in 
order to be tolerant of SQL server drops, and I'm much (much!) happier 
as a result.


What we actually do is this:

 * a single central SQL server; two databases:

   * radcheck - contains the SQL radcheck/reply & group tables
   * radacct - contains the radacct & radpostauth tables[1]

 * 2 radius servers, each with a local read-only SQL replica of the 
radcheck database; the radius processes are configured to read (do 
lookups against) their local SQL, and write to the sql_log file


 * copies of radsqlrelay pushing the accounting data to the central server

The time lag during normal loads is:

 * central radcheck -> server radchecks: 0-10 seconds (postgres & slony)
 * server sql-relay -> central radacct: 0-10 seconds (radsqlrelay)

During extended outages (such as the arranged maintenance in our 
datacentre this weekend) the radius servers continue to chug away and 
log to relay files, then replication & radsqlrelay spring back to life 
and catch up later.


[1] One minor note - as per my recent post, the sql_log module cannot do 
the "try update / except insert" technique that the sql module uses, so 
I modified things slightly; I write the sql_log updates to a *2nd* 
table, and use a TRIGGER on INSERT to update/insert the main radacct 
table. It works very well.


As Alan pointed out in reply to my post, you could also run plain old 
radrelay and an accounting-only radius server on the central database 
server, however for various boring reasons I won't go into, that wasn't 
an option for us.


HTH
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: no logging => reject?

2007-12-18 Thread Arran Cudbard-Bell


Norbert Wegener wrote:

I am using a recent pre-2, authentication via a mysql database.
In post-auth I have a  sql module, that reports accept/reject to a 
another mysql database.
When this database is not available, the user is rejected, although  I 
get Auth-Type = Accept before.

Is this a desired behaviour, bug or feature?

...
 rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [7989] (from client 149.246.185.169 port 1812)
+- entering group post-auth
++? if ("%{User-Name}" =~ /.net/i || "%{User-Name}" =~ /@/ )
   expand: %{User-Name} -> 7989
? Evaluating ("%{User-Name}" =~ /.net/i) -> FALSE
   expand: %{User-Name} -> 7989
Evaluating ("%{User-Name}" =~ /@/) -> FALSE
++? if ("%{User-Name}" =~ /.net/i || "%{User-Name}" =~ /@/ ) -> FALSE
   expand: 
//var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> 
//var/log/radius/radacct/149.246.185.169/reply-detail-20071218
rlm_detail: 
//var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d 
expands to //var/log/radius/radacct/149.246.185.169/reply-detail-20071218

   expand: %t -> Tue Dec 18 15:29:07 2007
++[reply_log] returns ok
rlm_sql (sql): Processing sql_postauth
   expand: %{User-Name} -> 7989
rlm_sql (sql): sql_set_user escaped user --> '7989'
   expand: INSERT into radpostauth (id, user, pass, reply, 
date,nasname) values ('', '%{User-Name}', '%{User-Password}', 
'%{reply:Packet-Type}', NOW(),'%{NAS-IP-Address}') -> INSERT into 
radpostauth (id, user, pass, reply, date,nasname) values ('', 
'7989', '7989', 'Access-Accept', NOW(),'139.25.153.222')
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, 
user, pass, reply, date,nasname) values ('', '7989', 
'7989', 'Access-Accept', NOW(),'139.25.153.222')

rlm_sql (sql): Ignoring unconnected handle 4..
rlm_sql (sql): Ignoring unconnected handle 3..
rlm_sql (sql): Ignoring unconnected handle 2..
rlm_sql (sql): Ignoring unconnected handle 1..
rlm_sql (sql): Ignoring unconnected handle 0..
rlm_sql (sql): There are no DB handles to use! skipped 5, tried to 
connect 0

++[sql] returns fail
 Found Post-Auth-Type Reject
+- entering group REJECT
rlm_sql (sql): Processing sql_postauth
   expand: %{User-Name} -> 7989
rlm_sql (sql): sql_set_user escaped user --> '7989'
   expand: INSERT into radpostauth (id, user, pass, reply, 
date,nasname) values ('', '%{User-Name}', '%{User-Password}', 
'%{reply:Packet-Type}', NOW(),'%{NAS-IP-Address}') -> INSERT into 
radpostauth (id, user, pass, reply, date,nasname) values ('', 
'7989', '7989', 'Access-Reject', NOW(),'139.25.153.222')
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, 
user, pass, reply, date,nasname) values ('', '7989', 
'7989', 'Access-Reject', NOW(),'139.25.153.222')

rlm_sql (sql): Ignoring unconnected handle 4..
rlm_sql (sql): Ignoring unconnected handle 3..
rlm_sql (sql): Ignoring unconnected handle 2..
rlm_sql (sql): Ignoring unconnected handle 1..
rlm_sql (sql): Ignoring unconnected handle 0..
rlm_sql (sql): There are no DB handles to use! skipped 5, tried to 
connect 0

++[sql] returns fail
Sending Access-Reject of id 51 to 149.246.185.169 port 32833
Finished request 0.
Going to the next request
Waking up in 0.9 seconds.
Waking up in 4.0 seconds.
Cleaning up request 0 ID 51 with timestamp +1
Ready to process requests.

Norbert Wegener

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

Feature.

Whats slightly worrying about using rlm_sql is if for any reason a table 
is locked,
the SQL request will block until the table is unlocked. In blocking it 
appears to block the entire FR server !
Everything just stops until the table is unlocked, and the request is 
satisfied !


--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton

EXT:01273 873900 | INT: 3900

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

no logging => reject?

2007-12-18 Thread Norbert Wegener


I am using a recent pre-2, authentication via a mysql database.
In post-auth I have a  sql module, that reports accept/reject to a 
another mysql database.
When this database is not available, the user is rejected, although  I 
get Auth-Type = Accept before.

Is this a desired behaviour, bug or feature?

...
 rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [7989] (from client 149.246.185.169 port 1812)
+- entering group post-auth
++? if ("%{User-Name}" =~ /.net/i || "%{User-Name}" =~ /@/ )
   expand: %{User-Name} -> 7989
? Evaluating ("%{User-Name}" =~ /.net/i) -> FALSE
   expand: %{User-Name} -> 7989
Evaluating ("%{User-Name}" =~ /@/) -> FALSE
++? if ("%{User-Name}" =~ /.net/i || "%{User-Name}" =~ /@/ ) -> FALSE
   expand: 
//var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> 
//var/log/radius/radacct/149.246.185.169/reply-detail-20071218
rlm_detail: 
//var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d 
expands to //var/log/radius/radacct/149.246.185.169/reply-detail-20071218

   expand: %t -> Tue Dec 18 15:29:07 2007
++[reply_log] returns ok
rlm_sql (sql): Processing sql_postauth
   expand: %{User-Name} -> 7989
rlm_sql (sql): sql_set_user escaped user --> '7989'
   expand: INSERT into radpostauth (id, user, pass, reply, 
date,nasname) values ('', '%{User-Name}', '%{User-Password}', 
'%{reply:Packet-Type}', NOW(),'%{NAS-IP-Address}') -> INSERT into 
radpostauth (id, user, pass, reply, date,nasname) values ('', 
'7989', '7989', 'Access-Accept', NOW(),'139.25.153.222')
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, 
user, pass, reply, date,nasname) values ('', '7989', 
'7989', 'Access-Accept', NOW(),'139.25.153.222')

rlm_sql (sql): Ignoring unconnected handle 4..
rlm_sql (sql): Ignoring unconnected handle 3..
rlm_sql (sql): Ignoring unconnected handle 2..
rlm_sql (sql): Ignoring unconnected handle 1..
rlm_sql (sql): Ignoring unconnected handle 0..
rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0
++[sql] returns fail
 Found Post-Auth-Type Reject
+- entering group REJECT
rlm_sql (sql): Processing sql_postauth
   expand: %{User-Name} -> 7989
rlm_sql (sql): sql_set_user escaped user --> '7989'
   expand: INSERT into radpostauth (id, user, pass, reply, 
date,nasname) values ('', '%{User-Name}', '%{User-Password}', 
'%{reply:Packet-Type}', NOW(),'%{NAS-IP-Address}') -> INSERT into 
radpostauth (id, user, pass, reply, date,nasname) values ('', 
'7989', '7989', 'Access-Reject', NOW(),'139.25.153.222')
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, 
user, pass, reply, date,nasname) values ('', '7989', 
'7989', 'Access-Reject', NOW(),'139.25.153.222')

rlm_sql (sql): Ignoring unconnected handle 4..
rlm_sql (sql): Ignoring unconnected handle 3..
rlm_sql (sql): Ignoring unconnected handle 2..
rlm_sql (sql): Ignoring unconnected handle 1..
rlm_sql (sql): Ignoring unconnected handle 0..
rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0
++[sql] returns fail
Sending Access-Reject of id 51 to 149.246.185.169 port 32833
Finished request 0.
Going to the next request
Waking up in 0.9 seconds.
Waking up in 4.0 seconds.
Cleaning up request 0 ID 51 with timestamp +1
Ready to process requests.

Norbert Wegener

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: no logging => reject?

Re: no logging => reject?

Re: no logging => reject?

Re: no logging => reject?

no logging => reject?

5 matches

Site Navigation

Mail list logo

Footer information