RADIUS fail-over config send Accounting requests to all servers

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hello,


I have configured two RADIUS servers for authentication (see attached picture). Despite the priority configuration and the Round-Robin setting (see other picture), it seems the controller send Accounting packets to both servers.



I tried to disable strict mode and configured the RADIUS in the WLAN section (see third picture). The behaviour is the same.


This causes me problem as each RADIUS server (FreeRADIUS instance) hosts a MySQL database for accounting records. Both DBs being replicated in Master-Master, the simultaneous arrival of accounting packets from the controller to both RADIUS servers causes the replication to crash (as entries with same Accounting-Session-Id are inserted on each database).

I have noticed that the Round-Robin setting is for Authentication only. Is there a way to do the same for Accounting as well ?

Thanks in advance for your help.

Photo of Guillaume-Jean Herbiet

Guillaume-Jean Herbiet

  • 202 Points 100 badge 2x thumb
  • confused

Posted 2 years ago

  • 0
  • 1
Photo of Gareth Mitchell

Gareth Mitchell, Extreme Escalation Support Engineer

  • 5,690 Points 5k badge 2x thumb
Hello

I will look into this and get back to you.

-Gareth
Photo of Umut Aydin

Umut Aydin, Escalation Support Engineer

  • 2,300 Points 2k badge 2x thumb
Hi ,

this is FAD.

If there are multiple servers configured, authentication is done per priority.

The one with lowest number will do the authentication.
Accounting, on the other side, should be done on all servers, no matter what priority is configured.
Now, you might ask why we have priority checkbox for Accounting.
The only purpose it serves is when we are in strict mode (for use with Policy Mgr & NAC Mgr).
In strict mode the first 3 RADIUS servers in the accounting priority list will be used for accounting and the rest will be ignored.
In the case of authentication, the first 3 RADIUS servers in the authentication priority list will be used for authentication, 1 at a time, with the priority 1 server being used for authentication exclusively until it fails.

Regards
UMut
Photo of Gareth Mitchell

Gareth Mitchell, Extreme Escalation Support Engineer

  • 5,690 Points 5k badge 2x thumb
Hello

See the following article: https://gtacknowledge.extremenetworks.com/articles/How_To/Are-radius-accounting-packets-sent-to-all-radius-servers-with-accounting-configured

In order to request a change in this behaviour I would recommend you contact your local account team SE and ask them to process a feature request for you.

-Gareth