I have two Identical freeradius servers and i want to recieve accounting information (one as backup) But if the main one fails the 2nd one to take over automatically. Which is the best approach?

add two RADIUS servers and set 'accounting-backup=yes' for both?..

I have tried that setup and i get "RADIUS server not responding" when they are both have accounting backup enabled. If I just enable one to Accounting-backup they both get accounting packet but only the main one authenticates users. In case i switch off main radius server the backup server doesn't takeover authenticating automatically. I have to change it manually.
Is there a script or a way to automate this process?

You could netwatch the Radius server and then on down change it to the backup.
Then on up, revert..

But I would think there is still an issue elsware..

I have done exactly as u advised but if am not on the watch out customers will not be authenticated in case the main radius server fails mainly due to power failure. If i could get a solution to handle failover between the two radius servers i can have sleep at night.

Netwatch is a process / program /system thread.

You can "watch" other devices with it and take actions depending on their state IE: run a script that in you case alters the RADIUS server settings...

Crude but it sould do the job..

I would like to try that but am not good in writing scripts so if u can point me to a script which i can edit to suite my need I would appreciate.

so, accounting-backup RADIUS is not used for authentication?..

anyway, you will need some tool to synchronize your accounting data on both servers in case of failure of one of them

If "/radius" is set correctly, the second server should take over authentication and accounting without any entries if the first radius server fails. If you can post the output of "/radius print", that might help. Change the radius secrets tho.

/radius print value-list
1. service: ppp
login
hotspot
wireless
called-id:
domain:
address: 192.168.1.159
secret: xxxxxxxx
authentication-port: 1812
accounting-port: 1813
timeout: 1s
accounting-backup: yes
realm:


2. service: ppp
login
hotspot
wireless
called-id:
domain:
address: 192.168.200.159
secret: xxxxxxx
authentication-port: 1812
accounting-port: 1813
timeout: 3s
accounting-backup: no
realm:

so, accounting-backup RADIUS is not used for authentication?..

anyway, you will need some tool to synchronize your accounting data on both servers in case of failure of one of them

I have solved that using mysql replication on both servers but the underlying problem is switching over in case the main radius server stops working.

If you shut down the main radius server, the backup should take over, If not, it isn't any good, is it? Can you try it with the main radius server offline? If the backup doesn't take over, something is not correct.

I have tried that a couple of times and I noticed from logs that if the main server is off customers get RADIUS server not responding when trying to login and those already logged I get RADIUS accounting request not sent: no response.
Is it a bug in the radius package or what could be wrong? Anyone ?

I would set "accounting-backup=no" on both entries until you get both the servers responding.
Also try setting the radius timeout to a higher value.
/radius
set 0 timeout=600ms
set 1 timeout=600ms

EDIT: I see you have increased the timeout values already. Good move. And according to the docs on radius, "accounting backup=yes" should be used on the second (backup) server. I don't use it, so I can't check it right now to see what it does.

I have solved that using mysql replication on both servers but the underlying problem is switching over in case the main radius server stops working.

is it master/master replication?.. then set "accounting-backup: no" on both servers - in that case you should get authentication failover, and mysql replication will give you accounting failover

I have solved that using mysql replication on both servers but the underlying problem is switching over in case the main radius server stops working.

is it master/master replication?.. then set "accounting-backup: no" on both servers - in that case you should get authentication failover, and mysql replication will give you accounting failover

At the moment its master/slave replication. I will setup master/master replication and then disable accounting-backup as you advised.

It worked after changing the time out to different values on both radius client entries. I noticed they need to be well spaced to allow for failover.
Now mysql master-master replication takes care of syncing th databases

It worked after changing the time out to different values on both radius client entries. I noticed they need to be well spaced to allow for failover.

mmm?..

I set time out on both servers at different times and disabled accounting-backup. Is that better?

I set time out on both servers at different times and disabled accounting-backup. Is that better?

there should be no sense in setting different timeout values: second RADIUS should be queried only if first one do not respond...

Then why was it not working before I set different timeouts?

I tend to list the primary and secondary radius servers as alternate entries under Radius in winbox, with a timeout of 500ms.

They are also listed 3 times, so the MT gets 6 goes in 3 seconds to hit either remote Radius server.

The last entry on the MT is a third Local Radius server that has a 24-hour backup of the main authentication database on it.

With this setup some accounting records are lost if the primary falls over, but it doesn't really matter too much, as the accounting records are incremental, and are only used for dynamic bandwidth limiting/timeout kicking.

If i lost Authentication then that would be Bad. Loosing a few accounting records isn't such a big deal.

I tend to list the primary and secondary radius servers as alternate entries under Radius in winbox, with a timeout of 500ms.

They are also listed 3 times, so the MT gets 6 goes in 3 seconds to hit either remote Radius server.

The last entry on the MT is a third Local Radius server that has a 24-hour backup of the main authentication database on it.

With this setup some accounting records are lost if the primary falls over, but it doesn't really matter too much, as the accounting records are incremental, and are only used for dynamic bandwidth limiting/timeout kicking.

If i lost Authentication then that would be Bad. Loosing a few accounting records isn't such a big deal.

You are saying you have 2 radius servers and each sever has 3 entries under radius client in MT. I also have two radius servers (main and back up) . May initial setup has failed yet again once the main radius server went down so i have to define the main one again using winbox. If you don't mind please explain how to setup mine to work as failover just a yours does. Thanks.

/radius
add accounting-backup=no accounting-port=1813 address=Primary-Radius-Server-IP \
authentication-port=1812 called-id="" comment="" disabled=no domain="" \
realm="" secret=Primary-Secret service=hotspot timeout=500ms

add accounting-backup=no accounting-port=1813 address=Secondary-Radius-Server-IP \
authentication-port=1812 called-id="" comment="" disabled=no domain="" \
realm="" secret=Secondary-Secret service=hotspot timeout=500ms

add accounting-backup=no accounting-port=1813 address=Primary-Radius-Server-IP \
authentication-port=1812 called-id="" comment="" disabled=no domain="" \
realm="" secret=Primary-Secret service=hotspot timeout=500ms

add accounting-backup=no accounting-port=1813 address=Secondary-Radius-Server-IP \
authentication-port=1812 called-id="" comment="" disabled=no domain="" \
realm="" secret=Secondary-Secret service=hotspot timeout=500ms

add accounting-backup=no accounting-port=1813 address=Primary-Radius-Server-IP \
authentication-port=1812 called-id="" comment="" disabled=no domain="" \
realm="" secret=Primary-Secret service=hotspot timeout=500ms

add accounting-backup=no accounting-port=1813 address=Secondary-Radius-Server-IP \
authentication-port=1812 called-id="" comment="" disabled=no domain="" \
realm="" secret=Secondary-Secret service=hotspot timeout=500ms

add accounting-backup=no accounting-port=1813 address=Local-Radius-Server-IP \
authentication-port=1812 called-id="" comment="" disabled=no domain="" \
realm="" secret=Local-Secret service=hotspot timeout=500ms

It appears that the MT tries each server in order.

If it doesn't get a reply for whatever reason, it tries the next on and so on.

You can looks at the stats for each Radius server entry on the MT to see if it 'falls through' and how often.

I Set as you explained but for some reason failover is not working. What version are you using? Am using 4.1 on a RB750G could it be a bug in my version?

4.1 or 4.10?

for some reason failover is not working

what do you see in RADIUS stats? are both servers queried?

I use 4.10 and I have timeouts on the secondary radius status when i set it to accounting-backup but nothing when i disable accounting-backup. I have run out of ideas now since it even stopped working and i havent changed anything.

I have upwards of 200 mikrotik + other devices accessing the same 3 Radius servers with no perceiveable problem.

However, i do not use Radius for ppp authentication, so maybe that's enough of a difference.

I *never* set Accounting-Backup because it seemed to break things early in testing, so i never tick it anymore.

If it is a matter of Timing, you might want to give VRRP a try, with the Two Radius servers doing MySQL replication, but both appearing to have the same IP address : if one fails, the second server takes over, and the authenticating equipment should not notice the difference.

Out of interest, *why* would your Primary Radius server break often enough for you to lose sleep ?

I have upwards of 200 mikrotik + other devices accessing the same 3 Radius servers with no perceiveable problem.

However, i do not use Radius for ppp authentication, so maybe that's enough of a difference.

I *never* set Accounting-Backup because it seemed to break things early in testing, so i never tick it anymore.

If it is a matter of Timing, you might want to give VRRP a try, with the Two Radius servers doing MySQL replication, but both appearing to have the same IP address : if one fails, the second server takes over, and the authenticating equipment should not notice the difference.

Am starting to think its the secondary server with the problem since i setup mysql master-master replication and still its not replicating in a timely manner. Just to ask i the main server runs on mysql 5.0 while the secondary is mysql 5.1 could it be the issue?

Out of interest, *why* would your Primary Radius server break often enough for you to lose sleep ?

Concerning My primary server going down its an issue with the national power provider. The power is very erratic and am still in the process of setting up a 24 hr power backup solution.

I have upwards of 200 mikrotik + other devices accessing the same 3 Radius servers with no perceiveable problem.

However, i do not use Radius for ppp authentication, so maybe that's enough of a difference.

I *never* set Accounting-Backup because it seemed to break things early in testing, so i never tick it anymore.

If it is a matter of Timing, you might want to give VRRP a try, with the Two Radius servers doing MySQL replication, but both appearing to have the same IP address : if one fails, the second server takes over, and the authenticating equipment should not notice the difference.

Am starting to think its the secondary server with the problem since i setup mysql master-master replication and still its not replicating in a timely manner. Just to ask i the main server runs on mysql 5.0 while the secondary is mysql 5.1 could it be the issue?

Out of interest, *why* would your Primary Radius server break often enough for you to lose sleep ?

Am starting to think its the secondary server with the problem since i setup mysql master-master replication and still its not replicating in a timely manner. Just to ask i the main server runs on mysql 5.0 while the secondary is mysql 5.1 could it be the issue?

Concerning My primary server going down its an issue with the national power provider. The power is very erratic and am still in the process of setting up a 24 hr power backup solution.

power problem.Ok - fix it with a UPS or two.

It is almost always better to have the same software version running for replication.

I found a power solution, i will move it to a building with 24hr generator backup next week. I will revisit radius failover after moving the radius manager.

Good Plan.

Also spend a few euros on a UPS or two, despite the generator.

You'll sleep a lot better.

Sure I will be doing that too.