FreeRADIUS accounting to multiple destinations

Алексей Морозенко alexmorozenko at
Tue Jul 24 18:49:34 CEST 2018

> 24 июля 2018 г., в 17:35, Alan DeKok <aland at> написал(а):
> On Jul 24, 2018, at 8:42 AM, Алексей Морозенко <alexmorozenko at> wrote:
>> I'm using two fortigate instances in gcp for redundancy.
>> Because of google restrictions I can't use them in HA mode so
>> load-balancing does the trick for me.
>> I have identical access policies on fortigates based on user group.
>> User group is delivered to fortigates by RSSO (RADIUS SSO) by sending to
>> them accounting packets.
>> I use two FreeRADIUS 3.0.15 servers on Ubuntu 16.04
>> I have 3 LDAP modules for 3 LDAP servers in redundant-load-balance mode
>> User can be in several groups so I
>> edited /etc/freeradius/mods-config/files/pre-proxy to reflect group needed
>> for me to assign access to user in Reply-Message attribute:
>> ...
>> preacct {
>>           ...
>>           files *#(this enables sending reply with group name in
>> Reply-Message attribute)*
> Note that it adds attributes to the *reply*.

I'm incorrect telling «reply», I mean after successfull authorization NAS sends accounting request to my RADIUS and then RADIUS proxies that request to FG-1 and FG-2
Doesn't matter what's it's name, by using files in preacct (pre-proxy) I insert additional attribute «Reply-Message» containing group name in accounting REQUEST from NAS. And further this modified accounting request being proxied to forti according realms.
Am I right?

>> accounting {
>>                ...
>>                replicate
>>      update control {
>>                      Replicate-To-Realm      := fortigate02 *#(this
>> copies my accounting to second fortunate)*
> That replicates the *request* to the home server.
> Since the request isn't the reply, the request doesn't contain the attributes you added.
> You have to add the attributes to the *request* in order for them to be proxied (or replicated) to a home server.

Now it's clear for me.
I should add replicate module and update control in accounting section

>> Finally, my problem.
>> The problem is that I see accounting copy on second fortigate, *but without
>> groups*.
> Yes.  That's what you configured it to do.

>> I realize that I replicate accounting to new realm and my pre-proxy file
>> will not work for it so that't why I included in pre-proxy second file with
>> that realm:
> The "replicate" module doesn't run the "pre-proxy" section.  The documentation and debug output makes this clear.

Too much debug, production system, second forti appeared unexpectedly, i didn't see that ( Will try viewing it at non-business time
>> And this should work (I think). Or not?
>> Tell me please, is my idea right for things I want to do?
> Do you want the replicated request to contain attributes?  Then add the attributes to the request.

Do you mean I should use /etc/freeradius/mods-config/files/accounting for that?
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list