On 5 Oct 2011, at 12:50, Phil Mayers wrote:
> On 05/10/11 09:56, Arran Cudbard-Bell wrote:
>>
>> On 5 Oct 2011, at 10:40, Phil Mayers wrote:
>>
>>> On 10/05/2011 09:26 AM, Alan DeKok wrote:
>>>> Phil Mayers wrote:
>>>>> I guess that's ok, in that it stops an unresponsive realm
>>>>> blocking other realms, but wouldn't another solution be to add
>>>>> a config item to the detail reader to drop packets which are>X
>>>>> seconds old?
>>>>
>>>> if (Acct-Delay-Time> 3600) { ok } else { ... do proxy .... }
>>>
>>>
>>> Ah ha! Clever. I had forgotten the detail reader created/updated
>>> that attribute. Yay FreeRADIUS!
>>
>> It's a bad way of doing it. At least with replicate every accounting
>> packet has a chance... Using Acct-Delay-Time you'll end up dumping
>> anywhere between 1-15 seconds accounting data for all realms if one
>> realm is unreachable.
>
> Whereas with rlm_replicate, you risk dropping arbitrary accounting packets
> because there is no retry.
> There is no ideal solution, because radius accounting was never designed for
> the kind of loosely-coupled federation that is Eduroam.
> For me, since most Eduroam sites don't care about receiving federated
> accounting, my primary concern is for my server to carry on functioning, and
> that means the detail file should not grow without bound. I don't really care
> how that happens - as long as it does.
True. Both solutions suck in their own unique ways.
Roll on RADSEC.
-Arran
Arran Cudbard-Bell
[email protected]
Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
