multiple freeradius instances with sqlippool, is it safe?

Nathan Ward lists+freeradius at daork.net
Tue Mar 22 10:34:47 UTC 2022


> On 22/03/2022, at 11:24 PM, Matteo Sgalaberni <sgala at sgala.com> wrote:
> 
> Seems to be a concurrency issue occurred because the BRAS (Cisco ASR1001X) sent the auth packet and the acct packets to different radius servers and executed the queries in a logical wrong order. 
> 
> Can this scenario happen also in a single server setup? Eg: the accounting stop packet is processed after the authentication packet.

Sure - if the BRAS sends them in different orders, or if one is delayed by the network or all sorts of different reasons.

> My impression is that the BRAS should send the auth and acct to the same server. Also the radius should process the packets in the right order to prevent this issue.

No - there’s no rules about that.

It’s not really clear exactly what you mean by this situation - why is the BRAS sending auth then stop then start? You should post the full debug per the list instructions so it’s possible to see what the BRAS is sending. Please don’t obscure the IP addresses and things either - it just makes it difficult to debug.

> Can you share with me your BRAS "aaa *" configuration?

Not really sorry - for starters I don’t run Cisco BNGs on any networks that I look after at present, and if I did it wouldn’t be relevant to your network.


My guess, though I would need to confirm with proper debug, is that your BNG is rejecting the address and letting the customer online some other way. Maybe your RADIUS servers are configured differently.

--
Nathan Ward



More information about the Freeradius-Users mailing list