Re: Freeradius proxy accounting
Mailing List wrote: I want that my radius immediately responds to the NAS regardless the state of the home server. My radius does not have to wait for the response of the home server, it sends the ACK back immediately to the NAS. You want to read raddb/sites-available/decoupled-accounting. You can proxy the packets rather than write them to a DB. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius proxy accounting
Hi, I have freeradius (A) up and running that proxies accounting messages to another freeradius (B) . Is it possible to configure (A) in such a way that it will always will acknowedge towards the NAS even when (B) is not responding to an proxied accounting message coming from (A). Now, If (B) is down, (A) will also not respond back to the NAS and the NAS keeps on retrying. (A) is configured to put the accounting in a mysql database. Basically, I want that (A) always sends an ACK back to the NAS regardless the state of (B). Thx, Kurt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius proxy accounting
Hi, Well, you have to clarify what you want to do - if you want your radius server (A) to respond if the home server (B) is down or not. But both scenarios are possible and can be achieved with freeradius. kind regards Pshem 2008/8/4 Mailing List [EMAIL PROTECTED]: Hi, I have freeradius (A) up and running that proxies accounting messages to another freeradius (B) . Is it possible to configure (A) in such a way that it will always will acknowedge towards the NAS even when (B) is not responding to an proxied accounting message coming from (A). Now, If (B) is down, (A) will also not respond back to the NAS and the NAS keeps on retrying. (A) is configured to put the accounting in a mysql database. Basically, I want that (A) always sends an ACK back to the NAS regardless the state of (B). Thx, Kurt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius proxy accounting
Hi, I want that my radius immediately responds to the NAS regardless the state of the home server. My radius does not have to wait for the response of the home server, it sends the ACK back immediately to the NAS. Regards, Kurt On 04 Aug 2008, at 05:47, Pshem Kowalczyk wrote: Hi, Well, you have to clarify what you want to do - if you want your radius server (A) to respond if the home server (B) is down or not. But both scenarios are possible and can be achieved with freeradius. kind regards Pshem 2008/8/4 Mailing List [EMAIL PROTECTED]: Hi, I have freeradius (A) up and running that proxies accounting messages to another freeradius (B) . Is it possible to configure (A) in such a way that it will always will acknowedge towards the NAS even when (B) is not responding to an proxied accounting message coming from (A). Now, If (B) is down, (A) will also not respond back to the NAS and the NAS keeps on retrying. (A) is configured to put the accounting in a mysql database. Basically, I want that (A) always sends an ACK back to the NAS regardless the state of (B). Thx, Kurt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can FreeRADIUS proxy accounting requests to multiple systems?
On Thu, 12 Jun 2008, Ivan Kalik wrote: I hope you are using the same database to store authentication data for your users. The FreeRADIUS servers are both querying (replicated) LDAP servers for authentication (and authorization) data. And that both are witing accounting data into the same radacct table. No: they're each writing the accounting data to local files. No database there. If that is so, you don't need to proxy accounting from one radius server to the other - they already have a complete picture. Just configure them both to proxy accounting to the NMS. I think that what you're saying is that with a slightly different configuration than I have, what I'm trying to do should be quite simple. -- -- Sylvain Robitaille [EMAIL PROTECTED] Systems and Network analyst Concordia University Instructional Information TechnologyMontreal, Quebec, Canada -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can FreeRADIUS proxy accounting requests to multiple systems?
On Thu, 12 Jun 2008, Alan DeKok wrote: I'm looking to have both of these systems proxy incoming accounting data to each other, ... That should be easy. See the detail file readers in raddb/sites-available/copy-acct-to-home-server. Ok. I've been looking in the right place for that. I'd also like to have them proxy the accounting data to a third system (commercial appliance type of system, though I understand that it does use FreeRADIUS as its RADIUS server) ... It's one of 3 products, all of which are (so far as I know) years out of date in their version of FreeRADIUS. It's not as bad as you think: radiusd: FreeRADIUS Version 1.1.6, for host i686-redhat-linux-gnu, built on Sep 26 2007 at 13:14:25 Copyright (C) 2000-2007 The FreeRADIUS server project. ... It's not FreeRADIUS-2.x, but it's also not years out of date. :-) I'm sure it's good enough to receive accounting-request data, and process them as intended. (no need for it to proxy back to my RADIUS servers as I intend that they'll already be proxying between each other.) ... (... I expect that the NMS would get from each RADIUS server only accounting-request packets that weren't already proxied from the partner RADIUS server, to avoid it receiving duplicate data). That can be done. You just have to set it up carefully. If all else fails, add attributes to the accounting packet saying where it was proxied to, and then don't re-proxy it there... Brilliant! Thanks for that. You will need two versions of copy-acct-to-home-server, one for each destination. Ok, that helps clarify things already. Set up one first and get it working. Then set up another one and get it working. Agreed. Then, ensure that requests sent to one server don't end up getting proxied through 2 other servers back to itself. Right. The NMS thing won't be proxying back to the other two anyway, but I do want to be sure those two don't create a proxying loop ... -- -- Sylvain Robitaille [EMAIL PROTECTED] Systems and Network analyst Concordia University Instructional Information TechnologyMontreal, Quebec, Canada -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can FreeRADIUS proxy accounting requests to multiple systems?
No: they're each writing the accounting data to local files. No database there. If that is so, you don't need to proxy accounting from one radius server to the other - they already have a complete picture. Just configure them both to proxy accounting to the NMS. I think that what you're saying is that with a slightly different configuration than I have, what I'm trying to do should be quite simple. Yes. If you merge accounting by writing to the same database you don't need to proxy accounting packets between radius servers and that will make proxy situation much simpler. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can FreeRADIUS proxy accounting requests to multiple systems?
Me again ...
I have two FreeRADIUS-2.0.3 systems provinding AAA for our wireless
networks and a couple of other (less widely used) services. The NAS
devices are configured with both, and which one is likely receive
access-request or accounting-request packets at any given time from any
given NAS is essentially undefined (though they appear to be functioning
in a mostly failover fashion, rather than any sort of load-balancing,
given that there is a large majority of traffic going to one of the two
FreeRADIUS servers).
I'm looking to have both of these systems proxy incoming accounting
data to each other, so that they both have complete, up-to-date data
regarding which users are presently authenticated on which services, but
I'd also like to have them proxy the accounting data to a third system
(commercial appliance type of system, though I understand that it does
use FreeRADIUS as its RADIUS server) which might act as our wireless
network management system (we're presently evaluating it).
It would use this accounting data to correlate end-user systems (by MAC
addresses obtained from NAS devices) with user account names (from the
RADIUS accounting data).
I've been trying to understand the comments in
raddb/sites-available/copy-acct-to-home-server, raddb/proxy.conf, and
the relevant parts of raddb/radiusd.conf, but I'm not sure I have yet
understood whether what I want can be done: proxy accounting-request
packets from both production RADIUS servers to each other AND to the
wireless network management system (though I expect that the NMS would
get from each RADIUS server only accounting-request packets that weren't
already proxied from the partner RADIUS server, to avoid it receiving
duplicate data).
I've started setting up proxy.conf as indicated below my signature, and I
expect I'll need a sites-enabled/copy-acct-to-home-server, but I'm pretty
sure that the proxy.conf as I now have it would not proxy the requests
to both the partner RADIUS server and the wireless network management
system at the same time (not failover nor load-balance, but proxy
to both simultaneously). I'm hoping that someone can offer guidance.
Desired flow of accounting-request packets:
+-+
+| RADIUS2 |
+-+ +-+| +-+
| NAS || RADIUS1 |+
+-+ +-+| +-+
+| WIFINMS |
+-+
OR
+-+
+| RADIUS1 |
+-+ +-+| +-+
| NAS || RADIUS2 |+
+-+ +-+| +-+
+| WIFINMS |
+-+
--
--
Sylvain Robitaille [EMAIL PROTECTED]
Systems and Network analyst Concordia University
Instructional Information TechnologyMontreal, Quebec, Canada
--
--- old/proxy.conf.20080612 2008-03-27 12:47:55.0 -0500
+++ proxy.conf 2008-06-12 13:16:39.0 -0400
@@ -57,7 +57,7 @@
#
# allowed values: {yes, no}
#
- default_fallback = no
+ default_fallback = yes
}
@@ -114,7 +114,7 @@
# acct - Handles Accounting-Request packets
# auth+acct - Handles Access-Request packets at port,
# and Accounting-Request packets at port + 1
- type = auth
+ type = acct
#
# Configure ONE OF the following two entries:
@@ -146,7 +146,7 @@
# Usually 1812 for type auth, and 1813 for type acct.
# Older servers may use 1645 and 1646.
#
- port = 1812
+ port = 1813
#
# The shared secret use to encrypt and sign packets between
@@ -306,6 +306,30 @@
# Useful range of values: 3 to 10
num_answers_to_alive = 3
}
+home_server radius2 {
+ type = acct
+ ipaddr = radius2
+ port = 1813
+ secret = testing123
+ response_window = 20
+ zombie_period = 40
+ revive_interval = 120
+ status_check = status-server
+ check_interval = 30
+ num_answers_to_alive = 3
+}
+home_server wifinms {
+ type = acct
+ ipaddr = wifinms
+ port = 1813
+ secret = testing123
+ response_window = 20
+ zombie_period = 40
+ revive_interval = 120
+ status_check = status-server
+ check_interval = 30
+ num_answers_to_alive = 3
+}
##
@@ -320,7 +344,7 @@
# 10 'realm sections, and one home_server_pool section to tie the
# two together.
#
-home_server_pool my_auth_failover {
+home_server_pool
Re: Can FreeRADIUS proxy accounting requests to multiple systems?
Sylvain Robitaille wrote: I'm looking to have both of these systems proxy incoming accounting data to each other, so that they both have complete, up-to-date data regarding which users are presently authenticated on which services, That should be easy. See the detail file readers in raddb/sites-available/copy-acct-to-home-server. but I'd also like to have them proxy the accounting data to a third system (commercial appliance type of system, though I understand that it does use FreeRADIUS as its RADIUS server) which might act as our wireless network management system (we're presently evaluating it). It's one of 3 products, all of which are (so far as I know) years out of date in their version of FreeRADIUS. I've been trying to understand the comments in raddb/sites-available/copy-acct-to-home-server, raddb/proxy.conf, and the relevant parts of raddb/radiusd.conf, but I'm not sure I have yet understood whether what I want can be done: proxy accounting-request packets from both production RADIUS servers to each other AND to the wireless network management system (though I expect that the NMS would get from each RADIUS server only accounting-request packets that weren't already proxied from the partner RADIUS server, to avoid it receiving duplicate data). That can be done. You just have to set it up carefully. If all else fails, add attributes to the accounting packet saying where it was proxied to, and then don't re-proxy it there... I've started setting up proxy.conf as indicated below my signature, and I expect I'll need a sites-enabled/copy-acct-to-home-server, but I'm pretty sure that the proxy.conf as I now have it would not proxy the requests to both the partner RADIUS server and the wireless network management system at the same time (not failover nor load-balance, but proxy to both simultaneously). I'm hoping that someone can offer guidance. You will need two versions of copy-acct-to-home-server, one for each destination. Set up one first and get it working. Then set up another one and get it working. Then, ensure that requests sent to one server don't end up getting proxied through 2 other servers back to itself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can FreeRADIUS proxy accounting requests to multiple systems?
I'm looking to have both of these systems proxy incoming accounting data to each other, so that they both have complete, up-to-date data regarding which users are presently authenticated on which services, but I'd also like to have them proxy the accounting data to a third system (commercial appliance type of system, though I understand that it does use FreeRADIUS as its RADIUS server) which might act as our wireless network management system (we're presently evaluating it). I hope you are using the same database to store authentication data for your users. And that both are witing accounting data into the same radacct table. If that is so, you don't need to proxy accounting from one radius server to the other - they already have a complete picture. Just configure them both to proxy accounting to the NMS. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
