2 Accounting replication with radrelay.
7 Often people run multiple radius servers; at least one primary and
8 one backup server. When the primary goes down, most NASes detect that
9 and switch to the backup server.
11 That will cause your accounting packets to go the the backup
12 server - and some NASes don't even switch back to the primary
13 server when it comes back up.
15 That means you miss accounting records or must jump through hoops
16 to combine the different detail files from multiple servers. It
17 also means that the session database ("radutmp", used for radwho
18 and simultaneous use detection) gets out of sync.
22 Radrelay is a program that does the equivalent of tail(1) on a
23 accounting detail file. Each time the server writes a packet
24 to this file, radrelay reads it and sends it to a remote radius
25 server. If all works well, radrelay gets replies from the remote
26 server as it should. When it reaches end-of-file, it locks the
27 file, renames it to <filename>.work, and waits for all it's
28 accounting requests to get answered. As soon as they are
29 answered, <filename.work> is deleted.
31 When radrelay starts up it first checks for <filename.work>
32 before it starts processing the standard detail file. This
33 ensures that no packets get lost.
35 Even if the primary server is down for a day, or if the secondary
36 server crashes and reboots, radrelay will buffer the accounting
37 packets and send them to the remote accounting server.
39 Radrelay checks the "Client-IP-Address" attribute in each record,
40 and if it's the same as the remote server it will not replicate
41 that record to prevent loops. That means you can point radrelay
42 to the primary server on the backup host, and to the backup server
43 on the primary host, to have complete records on both.
47 First, you should make radiusd log to an extra, single detail file.
48 This is probably done easiest by adding an extra instance of the
49 detail module to your radiusd.conf.
54 detailfile = %A/%{Client-IP-Address}/detail-%Y%m
59 detailfile = ${radacctdir}/detail-combined
74 In the above example, the instance detail1 of the detail module
75 represents your original detail logging. detail2 will create a
76 detail file dedicated only to radrelay. Note the use of "locking = yes",
77 this is _very very_ important when using the detail module in combination
78 with radrelay. It's used to keep both the detail module and radrelay
79 playing nice with each other.
81 Next, you need to fire up radrelay.
85 radrelay -S secret_file <server> detail-combined
87 The use of -S is recommended over -s due to the fact that your secret
88 won't show up with ps. You should also make sure your secret file is not
91 You should never logrotate your detail file, radrelay will take care of
94 3. REPLICATION AND PROXYING
96 If you have a primary and a backup server with identical configs
97 that both proxy for certain realms to other radius servers, the
98 remote server might end up with duplicate accounting info - the
99 accounting packet is received by the backup server, proxied to
100 the remote server and replicated to the primary server, then the
101 primary server proxies the same packet to the remote radius server
102 again because it doesn't know that that was already done.
104 To prevent this scenario, FreeRADIUS writes an extra attribute
105 to the detail file if it has proxied the accounting packet, the
106 vendor-specific attribute 'Freeradius-Proxied-To'. It contains the
107 address of the remote radius server. Radrelay replicates this
108 attribute just like any other to the primary server. If the
109 primary server wants to proxy an accounting packet to a remote
110 radius server, it first checks the packet to see if the
111 'Freeradius-Proxied-To' attribute is present. If it is, and it
112 contains the IP address of the remote radius server, it knows
113 that it doesn't need to proxy this packet to the remote server
114 once more. Problem solved!
118 Only attributes that are defined in the dictionary are replicated.
119 Unknown attributes are simply ignored.
121 Radrelay doesn't re-read its config files on a SIGHUP. It uses
122 two config files - the dictionary (which can consist of multiple
123 files ofcourse if you use $INCLUDE) and possibly the secret file.
124 If you modify one of those files you need to restart radrelay.
127 Original - Miquel van Smoorenburg <miquels@cistron.nl>
128 Written for the Cistron radius project.
129 2002-06-09 - Simon Ekstrand <simon@routemeister.net>
130 Ported to the FreeRADIUS project.