FreeRADIUS accounting to multiple destinations

Tue Jul 24 14:42:31 CEST 2018

Hi to all,
I'm using two fortigate instances in gcp for redundancy.
Because of google restrictions I can't use them in HA mode so
load-balancing does the trick for me.
I have identical access policies on fortigates based on user group.
User group is delivered to fortigates by RSSO (RADIUS SSO) by sending to
them accounting packets.
I use two FreeRADIUS 3.0.15 servers on Ubuntu 16.04
I have 3 LDAP modules for 3 LDAP servers in redundant-load-balance mode
User can be in several groups so I
edited /etc/freeradius/mods-config/files/pre-proxy to reflect group needed
for me to assign access to user in Reply-Message attribute:

DEFAULT ldap01-LDAP-Group == "cn=hr,cn=groups,cn=accounts,dc=office,dc=lan"
                                Reply-Message := hr
DEFAULT ldap02-LDAP-Group == "cn=hr,cn=groups,cn=accounts,dc=office,dc=lan"
                                Reply-Message := hr
DEFAULT ldap03-LDAP-Group == "cn=hr,cn=groups,cn=accounts,dc=office,dc=lan"
                                Reply-Message := hr
proxy.conf contains two pools with one server in it (fortigates which
receive accounting packets) and two realms:
home_server fortigate-vm01 {
                                type = acct
                                ipaddr = 10.10.15.192
                                ...
}
home_server fortigate-vm02 {
                                type = acct
                                ipaddr = 10.10.0.59
                                ...
}

home_server_pool fortigate-vm02 {
                                home_server = fortigate-vm02
}

home_server_pool fortinet-vms {
                                home_server = fortigate-vm01
}

realm DEFAULT {
                                acct_pool = fortinet-vms
}

realm fortigate02 {
                                acct_pool = fortigate-vm02

And I've enabled replicate module in server configuration:
/etc/freeradius/sites-enabled/default:
...
preacct {
             ...
             files *#(this enables sending reply with group name in
Reply-Message attribute)*
             ...
}

accounting {
                  ...
                  replicate
        update control {
                        Replicate-To-Realm      := fortigate02 *#(this
copies my accounting to second fortigate)*
         }
...
}

Finally, my problem.
The problem is that I see accounting copy on second fortigate, *but without
groups*.
I realize that I replicate accounting to new realm and my pre-proxy file
will not work for it so that't why I included in pre-proxy second file with
that realm:
/etc/freeradius/mods-config/files/pre-proxy:
$INCLUDE /etc/freeradius/mods-config/files/pre-proxy.fortigate02

/etc/freeradius/mods-config/files/pre-proxy.fortigate02:
fortigate02 ldap01-LDAP-Group ==
"cn=hr,cn=groups,cn=accounts,dc=office,dc=lan"
                                Reply-Message := hr
fortigate02 ldap02-LDAP-Group ==
"cn=hr,cn=groups,cn=accounts,dc=office,dc=lan"
                                Reply-Message := hr
fortigate02 ldap03-LDAP-Group ==
"cn=hr,cn=groups,cn=accounts,dc=office,dc=lan"
                                Reply-Message := hr

And this should work (I think). Or not?
Tell me please, is my idea right for things I want to do?
Should I use replicate module in accounting (as it's said in module
description) or in preacct (besause i do group filtering and group
attribute assigning in it)?
Thanks.

Best regards, Alex Morozenko