Copy-acct-to-home-server Issue

Alan DeKok aland at deployingradius.com
Fri Jul 10 22:54:17 CEST 2015 

On Jul 10, 2015, at 4:06 PM, Ricardo LarraƱaga <ricardo.larranaga at gmail.com> wrote:
>> Or, they're received in a different order, and that causes problems.
> 
> Could you explain a little bit more what kind of problems could this cause?

  Account sessions go start / update / update / stop.  If the packets are received in a different order, things can go wrong.

> Is it receiving packets in a different order for that user/session, or just
> receiving packets in a different order from that server?

  All of that.

> I would like to see it there is a way to minimize this behaviour. I read
> that the server has support for radius over tcp. I don't know anything
> about it, but woud it be possible to proxy between servers over tcp? Would
> that solve the reordering issue?

  Maybe.  But I wouldn't bother.  Making the system robust will be better in the long run.

>> Why?  Just run the script once, and have it write RADIUS packets to a
> > detail file.  Those can be replicated to every server.
> 
> This was my first idea all along, and i have the code ready. i ran into an
> issue though, I started using the server with the default calculation for
> unique accounting session:
> 
> Acct-Unique-Session-Id :=
> "%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}"
> 
> Now, the problem that i have is that some of my NAS send both NAS-port and
> NAS-Port-ID. Nas-port is not on the accounting database, so i cannot really
> add it to the attribute, and that makes the accounting session ID
> different. I would also prefer not to add it, as i dont use it for anything.

  If the Acct-Session-Id attribute is unique, you can just use that, and ignore Acct-Unique-Session-Id.

> The options that i see are:
> 
> -Force all my NAS to not sent NAS-port (I am working on this, but it is not
> solved yet. I am not sure how to do it yet, or if it is possible)

  Maybe.

> -Change the calculation so it does not include the nas-port attribute. This
> would be my preferred option, but in order to do this (since i already have
> sessions opened), i also need to update my database with the new
> calculation. How is that md5 calculated? Is it a plain md5 of the
> concatenation of the fields?

  Yes.  See the debug output. It prints out the input to the MD5, and the output MD5 hash.

  Alan DeKok.

More information about the Freeradius-Users mailing list