Access-Request counter on accounting server with TCP/TLS & Freeradius Proxy

Alan DeKok aland at deployingradius.com
Fri May 31 13:40:35 UTC 2024


On May 31, 2024, at 9:29 AM, Marcin Majkowski via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> \\
> I've encountered a rising number of Access-Request, when I've
> switched proxy.conf from Replicate-To-Realm by udp to Proxy-To-Realm with
> tcp+tls.
> Number of Access-Request is gathered via builtin status server in
> accounting server.
> [echo -e "Message-Authenticator = 0x00\nFreeRADIUS-Statistics-Type = 3" |
> radclient -x 127.0.0.1:18121 status pass-pass  ]
> What I mean by rising, from noise level ~1 req/s upto 200 req/s.

  The server doesn't invent requests, so if there are more packets going out, it's usually because there are more packets coming in.

> After some debug, to my surprise there is no significant number of
> Access-Request in stdout when running freeradius acct in foreground mode as
> freeradius -fxxx -l stdout. Apart from Access-Accept sent to Status-Server
> which is expected/fine.
> 
> Setup is:
> 3 hosts (proxy/auth/acct) with: radiusd: FreeRADIUS Version 3.2.4 (git
> #7e8f34ec5)
> [ FreeRADIUS Version 3.2.3 (git #db3d1924d) - was also affected ]
> 1st host is acting only as proxy, it forwards request to acct and auth
> servers via local haproxy(tcp+tls).
> Haproxy is configured to listen on different ports for both and in
> proxy.conf servers are set as different under same realm. (I've also set
> them to different realms accordingly, no change)
> 
> Is it a expected behaviour when using Proxy-To-Realm instead of
> Replicate-To-Realm?

  Proxy-To-Realm causes the server core to proxy the packets.

  Replicate-To-Realm causes the rlm_replicate module to send packets.

  So the only difference in counters is the different behavior necessary for each one.

  Alan DeKok.




More information about the Freeradius-Users mailing list