Community discussions

 
xcracker
just joined
Topic Author
Posts: 5
Joined: Tue Feb 18, 2014 1:25 pm

Two Radius Servers

Tue May 27, 2014 2:42 pm

Hello,

I have two identical radius servers with SQLIPPOOL and mikrotiks configured with this. (The radius server sends to MT the ip address of client)

This is functionally, but when primary radius server fails and MT uses secondary server, this(MT) sends an Accounting-On packet to server(2), and this release all ip address of clients connected from this, ocurring duplicate ip address for new authentications.

I set secondary radius with accounting-backup, with no effects, this sends accounting-on again.

Anyone have this problem in past?

Thanks.

Bruno
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: Two Radius Servers

Tue May 27, 2014 5:06 pm

How does the router which is the "main" and which one is the "backup" radius server?
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Two Radius Servers

Tue May 27, 2014 5:20 pm

How does the router which is the "main" and which one is the "backup" radius server?
It is the order that the servers are entered in the "/radius" section. First entry is the primary. The second entry is the backup. Only if the primary does not respond will the router contact the secondary server.
 
xcracker
just joined
Topic Author
Posts: 5
Joined: Tue Feb 18, 2014 1:25 pm

Re: Two Radius Servers

Tue May 27, 2014 5:54 pm

How does the router which is the "main" and which one is the "backup" radius server?
It is the order that the servers are entered in the "/radius" section. First entry is the primary. The second entry is the backup. Only if the primary does not respond will the router contact the secondary server.
SurferTim, how I do to MT dont send Accounting-On when switching radius servers?
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: Two Radius Servers

Tue May 27, 2014 6:08 pm

Good to know, thanks!

@xcracker
If using Freeradius, check the file ippool.conf in /etc/freeradius/sql/mysql (or equivalent for your distro). You'll find an "on-clear" query which states something like this:
## This series of queries frees the IP numbers allocated to a
## NAS when an accounting ON record arrives
on-clear = "UPDATE ${ippool_table} \
 SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', \
 expiry_time = NULL \
 WHERE nasipaddress = '%{Nas-IP-Address}'"
As you can see it will free all IP's coming from your NAS IP. Three options come to my mind:

1- Changing the SQL query to take into account the IP address of the radius server. And that would imply modifying the other accounting queries and the DB to store that info.

2- Put a second IP in a different network in your NAS and in your second radius server, so when NAS contacts Radius the %{NAS-IP-Address} would be different (from the one NAS uses to reach the main Radius server) and the Accounting start won't remove the IP's from your pool. You'll need to edit the allocate-clear query so it won't keep in mind the %{NAS-IP-Address} whe freeing IP's. The reason is that if a user logs in through the 2nd radius and at the time he logs out the 1st radius is up, the %{NAS-IP-Address} wouldn't match and the query wouldn't be able to free up the IP.

3- Have 2 separete pools for each Radius servers. And be quite fast in recovering the first Radius if it goes down!

I would definitely try number 2. Get ready for some serious testing and debugging, tough...

Who is online

Users browsing this forum: MSN [Bot] and 9 guests