(RADIATOR) Problems with RADIUS accounting

Alex Sharaz A.Sharaz at hull.ac.uk
Thu Apr 17 11:36:55 CDT 2008


Chaps,
I¹ve got a problem here that seems to be associated with Accounting when
using a database to store accounting information

Production system

3 real servers each server running 2 instances of radiator ­ one for
authentication and one for accounting

These serves are front ended by a Foundry ServerironXL device that load
balances radius  acct and auth requests over

Authentication is performed by proxying of auth requests to a pair of legacy
steel belted radius servers.

I¹ve got a couple of perl hooks that access the back end database when
authenticating.

My radius config has a number of session log definitions for various types
of RAS e.g. HP switches doing 802.1x, Trapeze networks Wireless kit. In
addition to this I¹ve split how I process the accounting records by having a
handler statement for Accounting start records, accounting Alive records and
accounting stop records
 so for our HP wired network I have the  following sessionlog definitions.

Hull_Wired_Start_mysql creates a record in the radonline table
Hull_wired_alive_mysql updates the above record with session time and gata
transmitted info
Hull_Wired_Stop_mysql deletes the radonline record.

The above are replicated for the various other systems.

I¹m also using ClientListSQL to keep track of my RAS clients

Test system

Dell 2850 server 8Gbytes of ram radiator 4.2


The database for both setups sits on a redhat 5.1 64 bit system ­ dual 3Ghz
processors with 12Gbytes of ram that also provides support for my db2 V9.5
system. At the moment the box is hardly being used.

The mysql database uses InnoDB tables and I¹m using the sample radSupport DB
definitions.

The problem I¹m having is that with only about 20 switches I¹m seeing loads
of ³failure to connect to Radius server² messages at the switch end.. Its
not the authentication its the accounting side of things that are causing
the problem.

Initially I thought it might have been the load balancer but it doens¹t look
as if it is. I¹ve got an HP switch in my office that I use to test dot1x
authentication so I pointed it at my development Radiator server for acct
and auth. The only common point was the back end mysql database. This switch
did the same thing as the others and there are only 2 clients authenticating
to it a Mac OSX machine and a Vista machine and they¹re both mine.

I then rewrote the Sessionlog statements to use the DB2 database running on
the same machine ... Which looked as if things might have worked. However, I
then pointed the Trapexe accounting at the devel server and almost
immediately started getting failure to connect to radius server messages on
the trapeze console. As it happened there was an error in an sql statement
for the sessionlog that dealt with updates. After I fixed this it looked as
if things were working o.k. The problem is that its now 5:32 on a Thursday
and there¹s not a lot of traffic around.

I really can¹t see anything wrong anywhere or why I¹m getting these errors.
Eventually we¹ll have 2 or 3 hundred switches passing accounting info to
this setup and at the moment it looks as if its not going to cope which is
silly.

I understand that FreeRadius 2.0 has some form of buffering facility whereby
if the server loses connection with the back end database it queues up
accounting info on disk until connection to the database is restored.


Any help/thoughts/suggestions appreciated.

Alex

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080417/51578411/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080417/51578411/attachment.ksh>


More information about the radiator mailing list