'Re: multiple freeradius instances with sqlippool, is it safe?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: multiple freeradius instances with sqlippool, is it safe?
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2022-03-22 12:12:14
Message-ID: C9472AC2-CD03-438C-BE9D-68D4A0BBBB83 () deployingradius ! com
[Download RAW message or body]

On Mar 22, 2022, at 6:24 AM, Matteo Sgalaberni <sgala@sgala.com> wrote:
> This timeline happened:
> - radius1 received the auth packet and sqlippool assigned the ip (correct \
>                 information on radippool)
> - radius2 received the accounting stop and sqlippool freed the ip (destroying the \
>                 information on radippool of that ip address previously assigned)
> - radius2 received the accounting start and do nothing on 

  That's how RADIUS works.

  The packets are processed in the order that they are received.  And network delays \
/ dropped packets can cause packets to appear "out of order".

  The packets also contain time stamps and/or delays.  So the server can tell \
(roughly) when an event occurred.  The queries use that information to ignore "old" \
stop/start packets.

  So what's happening here is that the NAS is sending the "stop" packet *after* it \
sends the auth request.  Which is fine, and the server *should* delete the IP address \
assignments.

  Find out why the NAS is sending the stop/start packets with the wrong timestamps.

> Seems to be a concurrency issue occurred because the BRAS (Cisco ASR1001X) sent the \
> auth packet and the acct packets to different radius servers and executed the \
> queries in a logical wrong order. 

  Please try to figure out how to make sure that the queries are run in the "right" \
logical order.  Use only information which is in the RADIUS packets.

  It's impossible.

> Can this scenario happen also in a single server setup? Eg: the accounting stop \
> packet is processed after the authentication packet.

  Yes.  UDP packets are not ordered, especially to different destinations.

> My impression is that the BRAS should send the auth and acct to the same server.

  No.  Or, only if you configure it to do that.

> Also the radius should process the packets in the right order to prevent this \
> issue.

  No.  This is *impossible* to do.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic