[c-nsp] How is the RADIUS backed up

Michael Markstaller mm at elabnet.de
Tue May 17 11:56:31 EDT 2005


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kim Onnel
> Sent: Tuesday, May 17, 2005 2:23 PM
> To: Ahmed Maged
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] How is the RADIUS backed up
> 
> > 1) RADIUS Anycast
> > 2) If your RADIUS logs to a DB, you could synch. The DB
> it writes to flat text files.
> > 3) Maybe configure the routers to just send to two diff. RADIUS.
> is it possible, any URL ?
yes, it is; broadcast command in aaa accounting:
--- cut 
aaa group server radius radius2
  server-private 10.0.0.2 auth-port 1645 acct-port 1646 key 12345
aaa accounting network VPNClient-acct start-stop broadcast group radius group aasradius
radius-server host 10.0.0.1 auth-port 1645 acct-port 1646 key 12345
--- cut

But just to mention, your problem might be the same I had: ACS not doing logging due to whatever while still accepting Acct-Requests from radius clients.
A radius-failover solution whith primary/secondary setup (not broadcasting to both) could be what your're looking for. 
By design nothing should get lost ever as any Acct-Request is ack'ed by an AcctAccept *and* a reasonable radius-server shouldn't send an Acct-Accept before it was able to accomplish all logging (my ACS 3.x did that somehow, therefore my opinion: it's not reasonable ;)
I never lost a single accounting packet again since I kicked out ACS.. 

I've two radius-servers, logging to sql on the primary only, the secondary replicates acct to the primary (when it's up again) works perfectly but I'm getting OT now..


Michael




More information about the cisco-nsp mailing list