Description | This article describes how FortiGate determines which RADIUS Server will receive the RADIUS Accounting logs. |
Scope | FortiGate version 7.4.3. |
Solution |
If FortiGate has multiple RADIUS Accounting servers, by default FortiGate will only send Accounting logs to 1 server at a time:
config user radius
When RADIUS Accounting servers are newly created, FortiGate will always send logs to the first server on the list.
[1093] fnbamd_cfg_get_radius_acct_list-Loaded RADIUS server 'FAC' [2073:root:c][1001] __auth_ctx_start-Connection starts FAC:10.171.1.158, addr 10.171.1.158:1813 proto: UDP
If there is no response from the first server, FortiGate will try the next server:
[1001] __auth_ctx_start-Connection starts FAC:10.171.1.158, addr 10.171.1.158:1813 proto: UDP [646] __rad_conn_timeout-Connction with FAC:10.171.1.158 timed out. [822] __fnbamd_rad_get_next_addr-Next available address of rad 'FAC': 10.171.2.146:1813.
FortiGate will always try the first server on the list to send accounting logs in any situation. On the previous version (tested on v7.2.6), FortiGate will send logs to all servers when they were just created or after reboot:
[2381] fnbamd_rad_acct_dns_cb-10.171.1.158->10.171.1.158
Action=1 is for RADIUS Accounting START:
If all servers respond, FortiGate will cache only one of them to send the logs to. It could be the second server on the list. Logs will always be sent there until FortiGate do not receive any feedback. Only then the FortiGate will try the next server on the list.
In this example, subsequent logs will always be sent to 10.171.2.146, until the server stops responding. At that point, FortiGate will send the logs to 10.171.1.158 and stay that way.
[2607] __fnbamd_acct_send_pkt-Sent radius acct req to server '10.171.2.146': fd=10, IP=10.171.2.146:1813 code=4 id=4 len=115 action=2
Action=2 is RADIUS Accounting STOP.
Just in case there is a need to send logs to all servers at the same time, it is necessary to enable additional command:
(# config vdom) (# edit <vdom>) # config user radius # edit <radius server> # set acct-all-servers enable # end
Related article: Technical Tip: How to ensure FortiGate sends RADIUS Accounting packets to multiple servers |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.