cancel
Showing results for 
Search instead for 
Did you mean: 

RADIUS Accounting with MAGs

SOLVED
daydreamer_
New Contributor

RADIUS Accounting with MAGs

Hi all,
 
Having set up two MAGs in an A/A cluster (no Load Balancer) as VPN servers (SA 7.4R10) using 2 Freeradius 2.1.10 servers for AAA, I get the following Major errors in the User Access Log of the MAGs:
 
Radius Accounting: Failed to send radius accounting USER session stop request for <user>
Radius Accounting: Failed to send radius accounting NC session stop request for <user>
Radius Accounting: Failed to send radius accounting NC session start request for <user>
Radius Accounting: Failed to send radius accounting USER session start request for <user>
 
However, the servers (at least the primary one) do receive the accounting messages from the MAGs. For instance, this is the message associated with the first USER session stop (sensitive info redacted):
 
Tue Apr 29 00:19:02 2014
User-Name = "user"
NAS-IP-Address = 10.10.10.1
NAS-Port = 1
Framed-IP-Address = 172.16.100.15
NAS-Identifier = "MAG"
Acct-Status-Type = Stop
Acct-Input-Octets = 2627511
Acct-Output-Octets = 1089879
Acct-Session-Id = "user@vpn-realm\"Mon Apr 28 23:12:46 2014\"
Acct-Session-Time = 3943
Acct-Terminate-Cause = User-Request
Acct-Multi-Session-Id = "user@vpn-realm"
Acct-Link-Count = 2
Acct-Unique-Session-Id = "41ads0f9a"
Stripped-User-Name = "user"
Realm = "vpn"
Proxy-State = 0x323138
Timestamp = 1398723542
Request-Authenticator = Verified
 
Is there something that I'm missing? Thanks in advance for any pointers.

1 ACCEPTED SOLUTION

Accepted Solutions
daydreamer_
New Contributor

Re: RADIUS Accounting with MAGs

Update:

 

The main problem was me understanding how the "NAS-IP-Address" option works. It *does not* change the source interface of the AAA packets being sent, only the Radius "NAS IP Address" attribute.

 

So instead of allowing only one of the two MAGs to communicate with the RADIUS servers, I had to enable both MAGs in the cluster to communicate with both RADIUS servers and the problem was solved.

 

View solution in original post

5 REPLIES 5
Raveen_
Regular Contributor

Re: RADIUS Accounting with MAGs

Hello

 

What is the IVE version that you are running with?

 

You would see this message when there is a problem in the connection established with backend Radius server.

If IVE has got bunch of accoutning messages to be sent out to Radius server in its buffer/queue, and IVE finds problem in connection, then this message would be printed.

 

Regards,

Raveen

daydreamer_
New Contributor

Re: RADIUS Accounting with MAGs

Hi Raveen,

 

By IVE version you mean the Secure Access OS? If so, it's 7.4R10 (build 30731) as I already mentioned, apologies if that's not what you asked.

 

The RADIUS servers doing the accounting are exactly the same as the ones doing the authentication, if communication would be a problem, wouldn't that also affect at *some* point authentication as well? I see no such messages however in the logs..

Raveen_
Regular Contributor

Re: RADIUS Accounting with MAGs

Hello,

 

Yes I meant IVE version as Secure Access OS version, thanks for the inofrmation.

If there is no issues with the connection to backend server, then this should be a potential bug in OS.

you need ot open up a case with JTAC for further troubleshooting and solution.

 

Regards,

Raveen

daydreamer_
New Contributor

Re: RADIUS Accounting with MAGs

OK thanks for your fast replies Raveen, I'll update this thread in case I have any new information

daydreamer_
New Contributor

Re: RADIUS Accounting with MAGs

Update:

 

The main problem was me understanding how the "NAS-IP-Address" option works. It *does not* change the source interface of the AAA packets being sent, only the Radius "NAS IP Address" attribute.

 

So instead of allowing only one of the two MAGs to communicate with the RADIUS servers, I had to enable both MAGs in the cluster to communicate with both RADIUS servers and the problem was solved.

 

View solution in original post