Copying accounting packets to additional servers

Alan DeKok aland at deployingradius.com
Thu Jun 10 21:06:05 CEST 2021


On Jun 10, 2021, at 1:16 PM, Paul Moser via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> In addition to proxying accounting packets to a remote server we need to send a copy of those packets to other servers.
> 
> Only the result of the proxying needs to determine if an acknowledgement response is sent back to the client, however we do need to ensure the copies are received by the other servers.

  It's RADIUS and UDP.  Packet reception is "best effort".  Which usually works, but isn't guaranteed.

> In a pre or post proxy section I could write the packets to a file using the detail module and then have a virtual server listening to that file and sending the packets on to the other server. This would mean writing every packet to disk, and in some cases I need to send a copy to multiple places which would means writing the packet multiple times to disk - a lot of disk IO I would rather avoid if possible.
> 
> I've also looked at the replicate module, which whilst it will indicate if it failed because there is no live server to send to will otherwise ignore any response and so you don't know if it has been received.

  Replicate to another local radius server.  Then configure that to proxy to the various destinations.  It's a bit ugly, but it will work.

> I think I've seen mentioned in the past that v4 will include stuff that will make all this simpler but in the mean time do I have any other options?

  For v3, not a lot.  Changing this architecture is difficult.  Which is why we started on v4.

> I'm thinking maybe I could use the replicate module to loop the traffic I want copied back through the same FreeRadius instance with a virtual server listening on another port dedicated to that traffic and then use the normal proxying mechanisms with a Post-Proxy-Type Fail-Accounting section, fallback server etc to do robust proxying. It's a bit more config than just using the detail module aproach above and obviously means the FreeRadius instance is handling more packets but I feel I've got a better grasp on how the FreeRadius instance will perform with more packets based on what it is currently doing than I do if I suddenly add a lot of extra disk IO.

  Just run another local RADIUS server.  Configure it to listen on 127.0.0.1, and then make one "listen" port per destination home server.  It can then just proxy those packets directly to the home server, do retransmits, etc.  The configuration for each home server is essentially:

server mirror_home_server_one {
  listen {
	ipaddr = 127.0.0.1
	port = 10000  # make each one unique
	type = ...
	... anything else you need here ...
  }

authorize {
	update control {
		Proxy-To-Realm := "home_server_one"
	}
}
}

  And that's really about it.  Make sure there's a "proxy.conf" file which holds the definition for the home realm / server / etc.

  It might be simplest to put all this into a new directory, say /etc/raddb_local or something, just to be sure that the configurations don't stomp on each other.  And then start the server with "radiusd -d /etc/raddb_local", and it should be good to go.

  Alan DeKok.




More information about the Freeradius-Users mailing list