I have two Identical freeradius servers and i want to recieve accounting information (one as backup) But if the main one fails the 2nd one to take over automatically. Which is the best approach?
add two RADIUS servers and set ‘accounting-backup=yes’ for both?..
I have tried that setup and i get “RADIUS server not responding” when they are both have accounting backup enabled. If I just enable one to Accounting-backup they both get accounting packet but only the main one authenticates users. In case i switch off main radius server the backup server doesn’t takeover authenticating automatically. I have to change it manually.
Is there a script or a way to automate this process?
You could netwatch the Radius server and then on down change it to the backup.
Then on up, revert..
But I would think there is still an issue elsware..
I have done exactly as u advised but if am not on the watch out customers will not be authenticated in case the main radius server fails mainly due to power failure. If i could get a solution to handle failover between the two radius servers i can have sleep at night.
Netwatch is a process / program /system thread.
You can “watch” other devices with it and take actions depending on their state IE: run a script that in you case alters the RADIUS server settings…
Crude but it sould do the job..
I would like to try that but am not good in writing scripts so if u can point me to a script which i can edit to suite my need I would appreciate.
so, accounting-backup RADIUS is not used for authentication?..
anyway, you will need some tool to synchronize your accounting data on both servers in case of failure of one of them
If “/radius” is set correctly, the second server should take over authentication and accounting without any entries if the first radius server fails. If you can post the output of “/radius print”, that might help. Change the radius secrets tho.
/radius print value-list
-
service: ppp
login
hotspot
wireless
called-id:
domain:
address: 192.168.1.159
secret: xxxxxxxx
authentication-port: 1812
accounting-port: 1813
timeout: 1s
accounting-backup: yes
realm:
2. service: ppp
login
hotspot
wireless
called-id:
domain:
address: 192.168.200.159
secret: xxxxxxx
authentication-port: 1812
accounting-port: 1813
timeout: 3s
accounting-backup: no
realm:
I have solved that using mysql replication on both servers but the underlying problem is switching over in case the main radius server stops working.
If you shut down the main radius server, the backup should take over, If not, it isn’t any good, is it? Can you try it with the main radius server offline? If the backup doesn’t take over, something is not correct.
I have tried that a couple of times and I noticed from logs that if the main server is off customers get RADIUS server not responding when trying to login and those already logged I get RADIUS accounting request not sent: no response.
Is it a bug in the radius package or what could be wrong? Anyone ?
I would set “accounting-backup=no” on both entries until you get both the servers responding.
Also try setting the radius timeout to a higher value.
/radius
set 0 timeout=600ms
set 1 timeout=600ms
EDIT: I see you have increased the timeout values already. Good move. And according to the docs on radius, “accounting backup=yes” should be used on the second (backup) server. I don’t use it, so I can’t check it right now to see what it does.
is it master/master replication?.. then set “accounting-backup: no” on both servers - in that case you should get authentication failover, and mysql replication will give you accounting failover
At the moment its master/slave replication. I will setup master/master replication and then disable accounting-backup as you advised.
It worked after changing the time out to different values on both radius client entries. I noticed they need to be well spaced to allow for failover.
Now mysql master-master replication takes care of syncing th databases
WebHA.txt (27.8 KB)
mmm?..
I set time out on both servers at different times and disabled accounting-backup. Is that better?
there should be no sense in setting different timeout values: second RADIUS should be queried only if first one do not respond…