Freeradius Module-Failure-Message = “Failed retrieving values required to evaluate condition”

One of my radius servers stopped doing its radius thing. Everything was going along swimmingly, and then it suddenly stopped at 1:00AM.  Restarts didn’t fix it.

The way this server works is that the default handler receives accounting packets, writes it to spool files, and then another process forwards the contents of the spool files to the correct destinations (e.g. databases). However, it stopped. There was no reason, so I (eventually) looked at the spool files in /var/log/radius/radacct/blah and found this packet:

Tue Nov 6 00:57:15 2018
    User-Name = ""
    Event-Timestamp = "Nov 6 2018 00:57:15 SAST"
    Acct-Status-Type = Accounting-Off
    NAS-IP-Address = 104.78.28.84
    Connect-Info = ""
    Module-Failure-Message = "Failed retrieving values required to evaluate condition"
    Module-Failure-Message = "Failed retrieving values required to evaluate condition"
    Module-Failure-Message = "Failed retrieving values required to evaluate condition"
    Timestamp = 1541458635

That’s an accounting packet from the NAS that says it is rebooting, and all the sessions have are going away. When this packet was handled, FreeRadius lost its mind and added the Module-Failure-Message attributes.

The reason that this was happening to these accounting packets is that the processing section for the accounting packets said things like this (edited for brevity):

accounting {
    if ( &Framed-IP-Address =~ /^192\\.168\./) {
        detail-write-nat-server
    }
    # ...
    ok
}

The idea is to log to a spool file for handling by another server:

detail detail-write-nat-server {
    filename = ${radacctdir}/nat/detail-%Y%m%d:%H
    permissions = 0664
    header = "%t"
    locking = yes
}

So the trouble is that the Framed-IP-Address attribute is not present in this particular accounting packet. Here’s the right way of doing it:

accounting {
    if ( &Framed-IP-Address && &Framed-IP-Address =~ /^192\\.168\./) {
        detail-write-nat-server
    }
    # ...
    ok
}

So I fixed it, and now it’s better.

This entry was posted in Stuff and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *