Adds radius metrics to capture RADIUS rejects and accepts (#338)

faucetsdn · Aug 23, 2021 · 3c8d789 · 3c8d789
1 parent bd23a91
commit 3c8d789
Show file tree

Hide file tree

Showing 8 changed files with 83 additions and 3 deletions.
diff --git a/bin/stack_functions b/bin/stack_functions
@@ -513,6 +513,10 @@ function start_radius_server {
     docker-compose -f ./radius_server/docker-compose.yaml up -d --build
 }
 
+function start_wrong_radius_server {
+    docker-compose -f ./radius_server/docker-compose-wrong.yaml up -d --build
+}
+
 function stop_and_cleanup_radius {
     docker stop radius_server_1 || true && docker rm radius_server_1 || true
 }
@@ -523,9 +527,15 @@ function validate_radius_varz {
                    grep -v 'HELP\|TYPE' | awk '{print $2}')
     responses=$(wget 0.0.0.0:8302 -O- | grep radius_query_responses_total | \
                     grep -v 'HELP\|TYPE' | awk '{print $2}')
+    accepts=$(wget 0.0.0.0:8302 -O- | grep radius_query_accepts_total | \
+                    grep -v 'HELP\|TYPE' | awk '{print $2}')
+    rejects=$(wget 0.0.0.0:8302 -O- | grep radius_query_rejects_total | \
+                    grep -v 'HELP\|TYPE' | awk '{print $2}')
     timeouts=${timeouts%.0}
     responses=${responses%.0}
-    echo Radius results $((timeouts > 0)) $((responses > 0)) | tee -a $TEST_RESULTS
+    accepts=${accepts%.0}
+    rejects=${rejects%.0}
+    echo Radius results $((timeouts > 0)) $((responses > 0)) $((accepts > 0)) $((rejects > 0)) | tee -a $TEST_RESULTS
 }
 
 function test_varz_value {

diff --git a/etc/test_access.out b/etc/test_access.out
@@ -5,7 +5,7 @@ Starting access-initial test...
 Starting access-minimal-learning test...
 9a:02:57:1e:8f:01
 %%% vlan-assigned
-Radius results 0 1
+Radius results 0 1 1 0
 Starting access-vlan-assigned test...
 9a:02:57:1e:8f:01
 9a:02:57:1e:8f:02
@@ -175,3 +175,5 @@ Starting varz-mac-flipped test...
 4.0
 0.0
 200.0
+%%% negative
+Radius results 0 1 1 1
diff --git a/etc/test_base.out b/etc/test_base.out
@@ -15,7 +15,7 @@ Testing Forch
 0 received
 Version from varz matches forch version.
 5 received
-Radius results 1 0
+Radius results 1 0 0 0
 Starting counting-initial tests
 110 0 allow ICMP
 111 0 arp

diff --git a/forch/authenticator.py b/forch/authenticator.py
@@ -115,8 +115,12 @@ def process_radius_result(self, src_mac, code, segment, role):
             return
         with self._sessions_lock:
             if code == radius_query.ACCEPT:
+                if self._metrics:
+                    self._metrics.inc_var('radius_query_accepts')
                 self.sessions[src_mac].received_radius_accept(segment, role)
             else:
+                if self._metrics:
+                    self._metrics.inc_var('radius_query_rejects')
                 self.sessions[src_mac].received_radius_reject()
 
     def process_session_result(self, src_mac, access, segment=None, role=None):

diff --git a/forch/forch_metrics.py b/forch/forch_metrics.py
@@ -79,6 +79,10 @@ def _add_vars(self):
                       'No. of RADIUS query timeouts in state machine', Counter)
         self._add_var('radius_query_responses',
                       'No. of RADIUS query responses received from server', Counter)
+        self._add_var('radius_query_accepts',
+                      'No. of RADIUS query accepts received from server', Counter)
+        self._add_var('radius_query_rejects',
+                      'No. of RADIUS query rejects received from server', Counter)
         self._add_var('process_state', 'Current process state', Gauge, labels=['process'])
 
         learned_l2_port_help_text = 'learned port of l2 entries'

diff --git a/radius_server/docker-compose-wrong.yaml b/radius_server/docker-compose-wrong.yaml
@@ -0,0 +1,18 @@
+version: '2'
+
+services:
+    freeradius:
+        build:
+            context: .
+            dockerfile: Dockerfile.freeradius
+        container_name: radius_server_1
+        image: 'forch/freeradius:latest'
+        network_mode: bridge
+        volumes:
+            - "./freeradius/users_wrong:/etc/freeradius/3.0/users:ro"
+            - "./freeradius/dictionary:/etc/freeradius/3.0/dictionary:ro"
+            - "./freeradius/macs:/etc/freeradius/3.0/macs:ro"
+            - "./freeradius/certs:/etc/freeradius/3.0/certs"
+            - "./freeradius/sites-enabled:/etc/freeradius/3.0/sites-enabled"
+            - "./freeradius/eap.conf:/etc/freeradius/3.0/eap.conf:ro"
+            - "./freeradius/radiusd.conf:/etc/freeradius/3.0/radiusd.conf:ro"
diff --git a/radius_server/freeradius/users_wrong b/radius_server/freeradius/users_wrong
@@ -0,0 +1,27 @@
+# Test Usage
+# echo "User-Name=user,User-Password=micrøphøne" | radclient -x localhost:1812 auth SECRET
+user   Cleartext-Password := "micrøphøne"
+
+# NOTE: The Filter-Id is the ACL name
+filter_id   Cleartext-Password := "micrøphøne"
+	 Filter-Id = "ACL_1"
+
+# Tunnel-Type = VLAN
+# Tunnel-Medium = 802
+vlan_id   Cleartext-Password := "micrøphøne"
+
+    Tunnel-Private-Group-ID = "VLAN_100"
+
+# Using the HPE ACE standard
+# http://h22208.www2.hpe.com/eginfolib/networking/docs/switches/K-KA-KB/15-18/5998-8150_access_security_guide/content/c_IPv4_Access_Control_Lists_ACLs.html
+filter_rule   Cleartext-Password := "micrøphøne"
+	NAS-Filter-Rule = "deny in tcp from any to any"
+
+# MAB Examples for integration tests
+9a02571e8f03 Cleartext-Password := '9a02571e8f04'
+    Tunnel-Type = VLAN,
+    Tunnel-Medium-Type = IEEE-802,
+    Tunnel-Private-Group-Id = "BOS",
+    Tunnel-Assignment-Id = "yellow",
+    Reply-Message = "welcome-infra-ap",
+    Session-Timeout = 3600
diff --git a/testing/test_access b/testing/test_access
@@ -187,4 +187,19 @@ test_dva mac-flipped
 test_forch_varz mac-flipped
 
 
+stop_and_cleanup_radius
+start_wrong_radius_server
+docker ps
+restart_forch
+
+# vlan and role is assigned for faux-1
+# trigger ARP and UDP traffic from faux-2 and faux-3 for mac learning
+echo %%% negative | tee -a $TEST_RESULTS
+send_udp forch-faux-1 "192.168.1.254/67" 5
+send_udp forch-faux-2 "192.168.1.253/68" 5
+send_udp forch-faux-3 "192.168.1.254/67" 5
+tail -f inst/forch-faucet-1/forch.log &
+
+validate_radius_varz
+
 stop_and_cleanup_radius