acct/auth handling

Josh Hillman ( (no email) )
Tue, 3 Jun 1997 15:35:12 -0400

In a future release of RadiusNT/RadiusNT Admin, can an option be added to
make it so if accounting stops working, so does authentication (and vice
versa)? If this option is added and checked, it would force all radius
actions to be handled by a backup radius server. This may sound a bit
strange, but what's below describes the reasoning behind it.

Twice in the past month, our radiusNT (1.16.60) has stopped processing
accounting records but still was handling authentication properly. I know
what caused this to happen both times:
1st: Used RadNT .90 for a few hours and noticed that when a (null)
username attempts to be entered into the database, accounting dies and the
backup RadiusNT server picks it up (running strictly in text-mode). The
primary RadNT server runs only in ODBC mode. There are no problems with
..60. If I remember correctly, RadiusNT 2.2something is supposed to take
care of the problem I had with .90.
2nd: The data portion of the database filled up, preventing any further
data from being entered into the database (in this case, STOP records being
the important ones). This caused accounting to bounce over to the backup
machine again.

The reason why there was a problem each time is because we implement
concurrency control and almost all of the accounts have the ability to dial
in only once at a time. If accounting dies on the primary machine, but
authentication still works on the primary, then if someone who was already
online at the time accounting went down, the next time they attempt to log
on, they will NOT be authenticated because the system will still think
they're online (because a stop record was never received on the machine
that's still handling authentication (ODBC).

If I'm sitting in front of Emerald and realize that this just happened, I
can just "clear" that user from the On-Line tab, but when no one's around,
it's a problem. The above mentioned 2nd incident occured a few hours after
I left town on Friday. Over this past weekend, 7 people couldn't log on
because the system thought they were still logged on. At 12:12am Monday, I
realized that everyone who was "online" was online for over 3000 minutes,
so I cleared them all out and they were able to log on afterwards. When I
got into work that morning, I expanded the data portion of the database,
shut off RadiusNT on the backup server (to force the Max 4004 to start
resending the accounting records to the primary machine again), and
everything has been fine since then.


Josh Hillman