FreeRADIUS accounting to multiple destinations
Alan DeKok
aland at deployingradius.com
Tue Jul 24 16:35:47 CEST 2018
On Jul 24, 2018, at 8:42 AM, Алексей Морозенко <alexmorozenko at gmail.com> wrote:
> I'm using two fortigate instances in gcp for redundancy.
> Because of google restrictions I can't use them in HA mode so
> load-balancing does the trick for me.
> I have identical access policies on fortigates based on user group.
> User group is delivered to fortigates by RSSO (RADIUS SSO) by sending to
> them accounting packets.
> I use two FreeRADIUS 3.0.15 servers on Ubuntu 16.04
> I have 3 LDAP modules for 3 LDAP servers in redundant-load-balance mode
> User can be in several groups so I
> edited /etc/freeradius/mods-config/files/pre-proxy to reflect group needed
> for me to assign access to user in Reply-Message attribute:
> ...
> preacct {
> ...
> files *#(this enables sending reply with group name in
> Reply-Message attribute)*
Note that it adds attributes to the *reply*.
> accounting {
> ...
> replicate
> update control {
> Replicate-To-Realm := fortigate02 *#(this
> copies my accounting to second fortunate)*
That replicates the *request* to the home server.
Since the request isn't the reply, the request doesn't contain the attributes you added.
You have to add the attributes to the *request* in order for them to be proxied (or replicated) to a home server.
> Finally, my problem.
> The problem is that I see accounting copy on second fortigate, *but without
> groups*.
Yes. That's what you configured it to do.
> I realize that I replicate accounting to new realm and my pre-proxy file
> will not work for it so that't why I included in pre-proxy second file with
> that realm:
The "replicate" module doesn't run the "pre-proxy" section. The documentation and debug output makes this clear.
> And this should work (I think). Or not?
> Tell me please, is my idea right for things I want to do?
Do you want the replicated request to contain attributes? Then add the attributes to the request.
Alan DeKok.
More information about the Freeradius-Users
mailing list