Re: acct/auth handling

Dale E. Reed Jr. ( (no email) )
Tue, 3 Jun 1997 13:55:29 -0700 ()

On Tue, 3 Jun 1997, Josh Hillman wrote:

> 1st: Used RadNT .90 for a few hours and noticed that when a (null)
> username attempts to be entered into the database, accounting dies and the
> backup RadiusNT server picks it up (running strictly in text-mode). The
> primary RadNT server runs only in ODBC mode. There are no problems with
> ..60. If I remember correctly, RadiusNT 2.2something is supposed to take
> care of the problem I had with .90.

Yes. The problem is that RadiusNT 1.16.90 saw the insert error and
didn't ack the NAS. RadiusNT 2.2 will.

> 2nd: The data portion of the database filled up, preventing any further
> data from being entered into the database (in this case, STOP records being
> the important ones). This caused accounting to bounce over to the backup
> machine again.

Aint nothing we can do about that! :(

> The reason why there was a problem each time is because we implement
> concurrency control and almost all of the accounts have the ability to dial
> in only once at a time. If accounting dies on the primary machine, but
> authentication still works on the primary, then if someone who was already
> online at the time accounting went down, the next time they attempt to log
> on, they will NOT be authenticated because the system will still think
> they're online (because a stop record was never received on the machine
> that's still handling authentication (ODBC).

Except for the DB fill up, if both RadiusNT servers are hitting the
same DB, you should be fine, even if it does roll over to the
second one.

> If I'm sitting in front of Emerald and realize that this just happened, I
> can just "clear" that user from the On-Line tab, but when no one's around,
> it's a problem. The above mentioned 2nd incident occured a few hours after
> I left town on Friday. Over this past weekend, 7 people couldn't log on
> because the system thought they were still logged on. At 12:12am Monday, I
> realized that everyone who was "online" was online for over 3000 minutes,
> so I cleared them all out and they were able to log on afterwards. When I
> got into work that morning, I expanded the data portion of the database,
> shut off RadiusNT on the backup server (to force the Max 4004 to start
> resending the accounting records to the primary machine again), and
> everything has been fine since then.

Moral of the story: Watch your database space. <GRIN>

We are working on a new program that will check to see if
users are on-line and if they are not, will clear them
automatically. This will happen evey 5 mins or so and
should alleviate this problem.