Search squid archive

Further diagnosis on squid/radius auth problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I've had a whole series of issues with Squid and radius, and I believe
that at last I have some meat for diagnosis.  The problem seems to be
with squid_auth_radius, but this seems to be the only related mailing
list.

I'm using:

Squid Cache: Version 2.5.STABLE13
configure options:  --prefix=/usr/local/squid --enable-snmp --disable-internal-dns

on RHEL 4 with squid_radius_auth 1.08.

At times it has seemed that clients attempting to authenticate are
being rejected despite having good passwords.  Similarly, users have
been able to get out to the Internet without a legitimate username and
password.  Squid's debugging output shows that the authenticator was
returning an "ok" response for these nonexistent usernames and
passwords.  At the time this happened, we would see "Warning: Received
invalid reply digest from server" errors.  A "squid -k reconfigure"
made those go away by restarting the authenticator children, of
course, but running that once a minute is not an ideal solution.

I'm not comfortable doing random debugging in C, so I made an
alternate authenticator out of Perl, based on authen::radius, that
logged via syslogd whenever it attempted authentication and the
results of that authentication attempt.  Either the problem would go
away, or I'd have some debugging output.  :-)

The problem persisted, but I now logged requests that did and didn't
match and could compare them to the Radius logs.  The Radius
authenticator returned an error when the Radius server had returned
OK.

At the time of the error, netstat -na -u on the RHEL box shows:

Proto Recv-Q Send-Q Local Address               Foreign Address             State      
...
udp        0      0 10.184.1.94:33006           10.184.1.56:1812            ESTABLISHED 
udp        0      0 10.184.1.94:33007           10.184.1.56:1812            ESTABLISHED 
udp        0      0 10.184.1.94:33008           10.184.1.56:1812            ESTABLISHED 
udp     2352      0 10.184.1.94:33009           10.184.1.56:1812            ESTABLISHED 
udp        0      0 10.184.1.94:33010           10.184.1.56:1812            ESTABLISHED

lsof shows that the process with the big recv queue is the
authenticator.  This happens with both squid_radius_auth and my perl
applet.

I see a couple of possibilities:

a) Red Hat ties up the buffer somehow
b) problem in the radius routines in squid_rad_auth
c) problem with squid taking the data back from authenticator, or
   interaction between squid and squid_rad_auth

Surely someone out there has experienced this?  Any pointers on where
to look further?

On a related note, should Squid use the same authenticator child most
of the time?  I have five running, but the log shows that the same
child gets queried again and again.  We rarely get busy enough to need
the second child, however.

==ml

-- 
Michael W. Lucas	mwlucas@xxxxxxxxxxx, mwlucas@xxxxxxxxxxxxxxxxxxxx
		http://www.BlackHelicopters.org/~mwlucas/
	    Latest book: PGP & GPG -- http://www.pgpandgpg.com
"The cloak of anonymity protects me from the nuisance of caring." -Non Sequitur



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux