RE: [squid-users] squid_radius_auth

Thanks everyone for the advice. I'm working on installing and testing 2.6 STABLE16. I'll see where we're at then, but I suspect things will be looking better.

Thanks.

Matt Ruzicka
Sr. Systems Engineer
mruzicka@cisp.com
www.cisp.com
www.yocolo.com

419.724.5345 : tel
419.867.6913 : fax

-----Original Message-----
From: Chris Robertson [mailto:crobertson@gci.net]
Sent: Thursday, November 01, 2007 3:46 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] squid_radius_auth

Matt Ruzicka wrote:
> We're in process of rebuilding a couple web filter boxes on Centos 4.5 running Squid 2.5.STABLE14 (latest from yum) using squid_radius_auth 1.09 for authentication with the following config:
>
> auth_param basic program /usr/local/squid/libexec/squid_radius_auth -f /usr/local/squid/etc/squid_radius_auth.conf
> auth_param basic children 30
> auth_param basic realm Filtered Web Service
> auth_param basic credentialsttl 4 hours
> auth_param basic casesensitive off
>
> We're seeing an odd issue where radius authentication will start failing sometime after the machine has been in production for a variable amount of time. The issue appears to arise only after at least 6 hours, but sometimes as long as 10 or 11 hours. If the machine is not in production and is only receiving test authentications the issues does not appear to arise.
>
> The failures show up as a long lag after correct credentials are issued and an eventual re-request for credentials. When this happens the squid access logs show denies for web traffic from these IPs passing account names that had previously authenticated. This lag is the same behavior we see if the radius server is unreachable, but I can log into the machine and manually run squid_radius_auth from the command line and authenticate without issue while the problem is occurring. During these failures we do no see the authentication requests hitting our Radius servers.
>
> However, if I issue a reconfig the problem goes away for another 6+ hours or so.
>
> I feels like the child processes are wedging somehow, but I'm not sure how or why.
>
> Additionally the old filter servers are running older versions of CentOS, Squid and v106 of squid_radius_auth and they are not seeing the issue.
>
> * Has anyone else seen similar behavior?
>

Yes. See
http://www.squid-cache.org/mail-archive/squid-users/200605/0494.html
Granted, this issue was appearing with Squid-2.5-Stable13 and
squid_radius_auth 1.08.

As stated, updating to Squid 2.6 is recommended. You can compile the
Fedora SRPM, or the CentOS5 SRPM (which is based on Squid-2.6Stable6) or
grab the source, use squid -V on your current install and use that as a
guide for compiling. The CentOSPlus repository doesn't seem to have an
updated RPM for Squid.

> * Is there any additional logging or debugging I can run to hopefully see what is happening?
>

From http://www.squid-cache.org/mail-archive/squid-users/200501/0554.html:

debug_options ALL,1 29,9 84,9

then see cache.log for details on the auth progress.

Be warned that your logs will contain usernames+passwords in plain text
when doing this.

> For now we have put in place an hourly cron to issue the reconfig, but this is a pretty cludgy work around.
>
> Thank you in advance.
>
> Matt Ruzicka
> Sr. Systems Engineer
> mruzicka@cisp.com
> www.cisp.com
> www.yocolo.com
>
> 419.724.5300 : tel
> 419.867.6913 : fax
>

Chris
Received on Thu Nov 01 2007 - 13:59:10 MDT