Freeradius 2.1 - Accouting packets mirring

Wed Feb 26 15:36:40 CET 2014

On 26.02.2014 14:48, Antonio Modesto Amaral Sousa wrote:
> We are testing a new equipment from Allot
> (Netenforcer) that can do traffic analysis and traffic shaping, in order
> for this equipment to work correctly and recognize our subscribers
> traffic, it needs to receive a copy of our radius accounting requests
> and responses

We had to do the same for the Identity-Awarness of our new checkpoint
firewalls.

That's how I did it :

1. define a home_server, home_server_pool and realm for your Allot

#### Allot ####

home_server my.allot.box {
        type    = acct
        ipaddr  = x.x.x.x
        port    = 1813
        proto   = udp
        secret  = 123456
        require_message_authenticator = no
}

home_server_pool ALLOT {
        type = fail-over
        home_server = my.allot.box
}

realm ACCT-ALLOT {
        acct_pool = ALLOT
        nostrip
}

Then in your VS config file, in preacct {} add :

update control {
   Replicate-to-Realm := ACCT-ALLOT
}
replicate

You can read the raddb/modules/replicate file for more information on
how it works

This will send a copy of any accounting messages received by your
freeradius. freeradius doesn't expect any reply to those message so the
performance impact is null.

It works like a charm in our case ;)

Regards,
Olivier B.

-- 

 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mail: olivier at heliosnet.org