Re: [squid-users] squid_radius_auth from Amos Jeffries on 2007-10-29 (squid-users)

From: Amos Jeffries <squid3@dont-contact.us>
Date: Tue, 30 Oct 2007 16:06:21 +1300 (NZDT)

> We're in process of rebuilding a couple web filter boxes on Centos 4.5
> running Squid 2.5.STABLE14 (latest from yum) using squid_radius_auth 1.09
> for authentication with the following config:
>
> auth_param basic program /usr/local/squid/libexec/squid_radius_auth -f
> /usr/local/squid/etc/squid_radius_auth.conf
> auth_param basic children 30
> auth_param basic realm Filtered Web Service
> auth_param basic credentialsttl 4 hours
> auth_param basic casesensitive off
>
> We're seeing an odd issue where radius authentication will start failing
> sometime after the machine has been in production for a variable amount of
> time. The issue appears to arise only after at least 6 hours, but
> sometimes as long as 10 or 11 hours. If the machine is not in production
> and is only receiving test authentications the issues does not appear to
> arise.
>
> The failures show up as a long lag after correct credentials are issued
> and an eventual re-request for credentials. When this happens the squid
> access logs show denies for web traffic from these IPs passing account
> names that had previously authenticated. This lag is the same behavior we
> see if the radius server is unreachable, but I can log into the machine
> and manually run squid_radius_auth from the command line and authenticate
> without issue while the problem is occurring. During these failures we do
> no see the authentication requests hitting our Radius servers.
>
> However, if I issue a reconfig the problem goes away for another 6+ hours
> or so.
>
> I feels like the child processes are wedging somehow, but I'm not sure how
> or why.
>
> Additionally the old filter servers are running older versions of CentOS,
> Squid and v106 of squid_radius_auth and they are not seeing the issue.
>
> * Has anyone else seen similar behavior?
>
> * Is there any additional logging or debugging I can run to hopefully see
> what is happening?

Could be a lot of things.
Step 1 is to try a recent version of squid. 2.5 is no longer supported.
Grab 2.6 stable 16 from http://www.squid-cache.org/Versions/v2/2.6/

After that try adding to squid.conf:
debug_options ALL,1 29,9
and see what gets added to cache.log

> For now we have put in place an hourly cron to issue the reconfig, but
> this is a pretty cludgy work around.
>

Amos
Received on Mon Oct 29 2007 - 21:06:25 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:02 MDT