FreeRADIUS accounting to multiple destinations

[Алексей Морозенко]

> 24 июля 2018 г., в 17:35, Alan DeKok <aland at deployingradius.com> написал(а):
> 
> On Jul 24, 2018, at 8:42 AM, Алексей Морозенко <alexmorozenko at gmail.com> wrote:
>> I'm using two fortigate instances in gcp for redundancy.
>> Because of google restrictions I can't use them in HA mode so
>> load-balancing does the trick for me.
>> I have identical access policies on fortigates based on user group.
>> User group is delivered to fortigates by RSSO (RADIUS SSO) by sending to
>> them accounting packets.
>> I use two FreeRADIUS 3.0.15 servers on Ubuntu 16.04
>> I have 3 LDAP modules for 3 LDAP servers in redundant-load-balance mode
>> User can be in several groups so I
>> edited /etc/freeradius/mods-config/files/pre-proxy to reflect group needed
>> for me to assign access to user in Reply-Message attribute:
>> ...
>> preacct {
>>           ...
>>           files *#(this enables sending reply with group name in
>> Reply-Message attribute)*
> 
> Note that it adds attributes to the *reply*.

I'm incorrect telling «reply», I mean after successfull authorization NAS sends accounting request to my RADIUS and then RADIUS proxies that request to FG-1 and FG-2
Doesn't matter what's it's name, by using files in preacct (pre-proxy) I insert additional attribute «Reply-Message» containing group name in accounting REQUEST from NAS. And further this modified accounting request being proxied to forti according realms.
Am I right?

> 
>> accounting {
>>                ...
>>                replicate
>>      update control {
>>                      Replicate-To-Realm      := fortigate02 *#(this
>> copies my accounting to second fortunate)*
> 
> That replicates the *request* to the home server.
> 
> Since the request isn't the reply, the request doesn't contain the attributes you added.
> 
> You have to add the attributes to the *request* in order for them to be proxied (or replicated) to a home server.

Now it's clear for me.
I should add replicate module and update control in accounting section

> 
>> Finally, my problem.
>> The problem is that I see accounting copy on second fortigate, *but without
>> groups*.
> 
> Yes.  That's what you configured it to do.


> 
>> I realize that I replicate accounting to new realm and my pre-proxy file
>> will not work for it so that't why I included in pre-proxy second file with
>> that realm:
> 
> The "replicate" module doesn't run the "pre-proxy" section.  The documentation and debug output makes this clear.

Too much debug, production system, second forti appeared unexpectedly, i didn't see that ( Will try viewing it at non-business time
> 
>> And this should work (I think). Or not?
>> Tell me please, is my idea right for things I want to do?
> 
> Do you want the replicated request to contain attributes?  Then add the attributes to the request.

Wait.
Do you mean I should use /etc/freeradius/mods-config/files/accounting for that?
> 
> Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html