我已经在Ubuntu(4.15.0-47-generic)上配置了freeradius代理(3.0.16)。它从Ubuntu上运行的另一个半径服务器接收半径计费数据包,并将其写入到Fortigate上运行的另一个半径服务器。
Radius Server ---> Proxy Radius Server ---> Fortigate Radius Server
我已将copy-acct-to-home服务器配置为将Realm包含在proxy.conf中
proxy.conf ( Realm definition )
home_server myFortigate {
type = acct
ipaddr = <IP address of Fortigate Interface Running Radius>
port = 1813
secret = superSecret
}
home_server_pool myFortigatePool {
type = fail-over
home_server = myFortigate
}
realm myFortigateRealm {
acct_pool = myFortigatePool
nostrip
}
复制到家用服务器的条目
preacct {
preprocess
update control {
Proxy-To-Realm := myFortigateRealm
}
suffix
}
运行freeradius -X之后,我还从新会话运行tcpdump
tcpdump -ni eth01 port 1812 or port 1813
并获得以下日志
15:03:40.225570 IP RADIUS_PROXY_IP.56813 > FORTIGATE_INTERFACE_IP.1813: RADIUS, Accounting-Request (4), id: 0x31 length: 371
15:03:40.236155 IP FORTIGATE_INTERFACE_IP.1813 > RADIUS_PROXY_IP.56813: RADIUS, Accounting-Response (5), id: 0x31 length: 27
这基本上表明它正在发送帐户请求以启动Radius服务器并接收计费响应。
但是奇怪的是,radiradius -X调试输出显示了Fortigate上同一半径服务器的请求超时,最终将服务器标记为僵尸
Starting proxy to home server FORTIGATE_INTERFACE_IP port 1813
(14) Proxying request to home server FORTIGATE_INTERFACE_IP port 1813 timeout 30.000000
Waking up in 0.3 seconds.
(14) Expecting proxy response no later than 29.667200 seconds from now
在3.5秒内醒来。
最后它放弃了
25) accounting {
(25) [ok] = ok
(25) } # accounting = ok
(25) ERROR: Failed to find live home server: Cancelling proxy
(25) WARNING: No home server selected
(25) Clearing existing &reply: attributes
(25) Found Post-Proxy-Type Fail-Accounting
(25) Post-Proxy-Type sub-section not found. Ignoring.
因此情况是Radius代理正在将计费数据包发送到Fortigate Radius服务器(可以在freeradius和fortigate日志中看到) tcpdump显示Radius代理正在接收来自收费的计费响应,但是由于某些原因,freeradius进程无法识别(或无法读取)计费响应。可能是一些互操作性问题,或者我错过了设置一些标志的机会。向专家寻求帮助,以隔离和纠正问题。