issues with radius proxy settings

Prem Khanal prem.khanal at n4l.co.nz
Wed Aug 21 02:47:01 CEST 2019 

Hi Team,

I am running freeradius 3.0.16 on ubuntu 18.04 as a proxy server. The setup
is as such that
Device enrollment management system forwards radius accounting packets to
radius proxy and then radius proxy server forwards the accounting packets
to one or multiple Fortigates accepting radius accounting packets.

The issue I am having is when one of the Fortigate is not able to accept
packets ( network level issue or firewall level issue ), the proxy server
starts creating detail and detail.work files and as soon as the Fortigate
interface is up it (Radius proxy) tries to push the backlog from these
files. The problem is, if the interface has been down for couple of hours
the backlog is so huge ( and new requests are frequently coming ) that it
can not redirect current traffic to specific firewall. If I delete the
detail and detail.work file and restart the free radius server then it
starts functioning normally. I believe I am missing some configuration.
Kindly guide me what could be the workaround for this.

I am looking for following solution:

1. Is there any way to setup a notification as soon as freeradius proxy
marks a fortigate as Zombie?
2. The proxy just stops functioning ( even though it is trying to process
detail and detail.work files in the background ) i.e. stops forwarding
accounting packets to specific firewalls  even after the communication
issue is resolved. How can we make it more resilient?

====================Proxy.conf=================
home_server mainFortigate{
        type = acct
        ipaddr = <<IP>>
        port = 1813
        secret = << secret>>
        response_window = 40
        zombie_period = 20
        revive_interval = 20
        status_check = status-server
        check_interval = 10
        check_timeout = 100
        num_answers_to_alive = 5
        max_outstanding = 65536
        coa {
                # Initial retransmit interval: 1..5
                irt = 2

                # Maximum Retransmit Timeout: 1..30 (0 == no maximum)
                mrt = 16

                #Maximum Retransmit Count: 1..20 (0 == retransmit forever)
                mrc = 5

                # Maximum Retransmit Duration: 5..60
                mrd = 30
             }
   }

home_server_pool mainFortigatePool {
        type = fail-over
        home_server = mainFortigate
}



realm mainFortigateRealm {
        #
        #  Realms point to pools of home servers.
#
        #  If you have a "home_server_pool" where all of the home servers
        #  are of type "auth+acct", you can just use the "pool"
        #  configuration item, instead of specifying both "auth_pool"
        #  and "acct_pool".

        acct_pool = mainFortigatePool
        nostrip

        #  There are no more configuration entries for a realm.
}
==============================================
==========copy-acct-to-home-server========
=============dynamically determine the realm=============

 if(request:User-Name =~ /@/){
                if(request:Huntgroup-Name != ''){
                                                        update control {

Proxy-To-Realm := request:Huntgroup-Name
                                                                }
                                                }

                                            }
================================================

Kindly let me know if more detail is needed.

-- 
Regards
Prem

More information about the Freeradius-Users mailing list