(RADIATOR) tigris and accounting
Magnus Drougge
magnus.drougge at rixtelecom.se
Mon Oct 14 04:45:05 CDT 2002
Hi!
I have a non-fatal problem that I've been looking at for some time
now. The situation is as follows (forgive me for not keeping this
short):
* 2 radius servers, primary and secondary (v 2.18.2) running on
2.4.x Linux (x86)
* 7-slot tigris (v 11.5.x)
* a number of DSL clients
* a much larger number of dial-up clients.
We allow anyone to phone in and get a dial-up connection (as we earn
money on ticks, not subscription fees). Thus a very simple radius
setup with an AuthByTest section is sufficient for our needs.
We also have a limited number of DSL clients. Those clients are
authenticated agains an MySQL database.
All in all, about 10'000 authentications are made on a daily basis.
The DSL clients is responsible for about 10% of the radiator's
workload and there is absolutely no problem there.
However, only about 0.2 percent of the authenticated dial-up connections
are properly accounted for. When looking at debug traces it seems that
the accounting requests isn't even sent from the tigris!
When we had a closer look at the tigris it turned out that it repeatedly
failed to send accounting requests to our radius, rendering the server
'down' for most of the time. Authentication still works as a charm...
We thought that to be a bit odd as the secondary server is a mirror
installation and tigris seemed to be much happier about that one.
The next step was to reverse the order in tigris and letting the
secondary server act as a proxy to the primary. The result is that we
now have a 'hit-rate' of about 3-4 percent. Well, it's a great
improvement but still outrageous...
Finally.
When looking at the statistics at the tigris there are some failed
accounting requests but the result should not even come close to the
figures we have. On the other hand, according to the tigris
statistics, the number of accounting requests sent (including failed
ones) compared to the number of authentication requests makes our
figures more reasonable.
Obviously the tigris refuses to send accounting requests for almost
every successful authentication request.
Is anyone recognizing the problem? Is there any more information I
can provide in order to help producing a solution?
Earlier I wrote that this is a non-fatal problem. Well, it is. Sort of.
More information about the radiator
mailing list