Simultaneous Proxy of Acct Messages to two External Radius Servers Using Replicate-To-Realm

Jason Everard everardnz at gmail.com
Mon Dec 10 22:19:59 CET 2012


We have been trying to get freeradius to work to do something I know works
because I have seen it posted to this list on a few occasions.

We have a Radius NAS (Cisco WLC) that is sending auth data to multiple
Radius servers (not freeradius rather MS NPS and Cisco ACS and Cisco ISE)
Problem is that we have several Radius receivers that need to see all of
the accounting records from the WLC to make decisions re: the 802.11i
session.

So the sole function of the freeradius deployment is to proxy all received
accounting packets to multiple Radius receivers simultaneously.

We have been trying to get it to work with "Replicate-To-Realm := ISE" in
the corresponding virtual-server configuration, however it doesn't work.
The only way we can get the freeradius installation to send accounting
packets to another external radius box is to use "Proxy-To-Realm" which
requires a response from the server and does not seem to send the radius
accounting packets to more than the first realm listed, i.e.

preacct {
    preprocess
    update control {
        Replicate-To-Realm := ISE
        Replicate-To-Realm += BlueCoat
        }

Doesn't work at all. However, the following will send the accounting
packets to the ISE realm and NOT to the BlueCoat realm until the ISE realm
is marked dead.

preacct {
    preprocess
    update control {
        Proxy-To-Realm := ISE
        Proxy-To-Realm += BlueCoat
        }

We want the Replicate-To-Realm functionality where the behaviour is to
"send-and-forget" and to NOT require an accounting response from either
server and where all packets are sent to ALL realms listed.

We are running 2.1.12 currently. Is this maybe a bug that is fixed in 2.2.0?

Regards,

Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121211/d5b41a0f/attachment.html>


More information about the Freeradius-Users mailing list