Hi all,
An AIX version is in production now. Almost everything I need works.
but (there's always a but?) I still have a question.
First the config:
The environment exists on two sites that are mirror images.
on every site:
a Nas (Cisco)
a Radius Server (AIX, freeradius Snapshot 11042002)
When a NAS fails the telco will failover the the other NAS
when a Radius server fails the NAS will select it's twin-sister.
The only thing this doesn't work for is Accounting.
When configuring in acct_users on node1:
-8<---
DEFAULT NAS-IP-Address == NAS1, Replicate-To-Realm := node2
DEFAULT NAS-IP-Address == NAS2, Replicate-To-Realm := node2
-8<---
and Vice versa on node2, replcating to node1
Then an accounting loop start that adds about 220KB to the detail file
for every packet received from a NAS. Probably the loop ends when a packet
get too large. (Some Proxy-xxxx fields are added to every hop).
Therefore I changed the acct_users file to the following:
-8<---
DEFAULT Client-IP-Address == NAS1, Replicate-To-Realm := node2
DEFAULT Client-IP-Address == NAS2, Replicate-To-Realm := node2
-8<---
And that doesn't replicate at all... No error messages (well
recognizable ones) anywhere.
It can probably be solved by adding another layer of proxy servers
but I like to keep things as simple as possible.
And it would be nice to have all accounting records in one file
even when one of the Radius servers fails.
I do understand that if one radius server goes down it will lag,
but that can be taken care of in other ways, like getting a copy
from it's twin.
Now the questions:
When is Client-IP-Address added to the packet? (probably too late)
Why can't Client-IP-Address be used as a check-item? (if it is in the request)
I've a patched freeradius to get it to work on AIX and I not aware that the
patches
sent to the list have been incorporated or not. Therefore i'm reluctant to just
get a new
snapshot it might break more than it fixes. I've used the snapshot of April 11th
as a base.
(I have no access to CVS, only ftp/http or mail, also development tools are
limited to
make and gcc. No auto* tools etc.)
So more questions are:
What do I need to fix and
Where does it need fixing.
Best regards,
Nico Baggus
-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.
Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
