Technical Tip : How FortiGate sends RADIUS Accounting with multiple RADIUS Servers

darisandy · ‎04-26-2024

Description

This article describes how FortiGate determines which RADIUS Server will receive the RADIUS Accounting logs.

Scope

FortiGate version 7.4.3.

Solution

If FortiGate has multiple RADIUS Accounting servers, by default FortiGate will only send Accounting logs to 1 server at a time:

config user radius
edit "FAC"
set server "10.171.1.158"
set secret ENC AVSyGfVA
  config accounting-server
   edit 1
set status enable
set server "10.171.1.158"
set secret ENC OrTCtyDL
   next
   edit 2
set status enable
set server "10.171.2.146"
set secret ENC qoCCW04T
   next
end
   next
end

When RADIUS Accounting servers are newly created, FortiGate will always send logs to the first server on the list.

[1093] fnbamd_cfg_get_radius_acct_list-Loaded RADIUS server 'FAC'
[1102] fnbamd_cfg_get_radius_acct_list-Total rad servers to try: 1
[950] fnbamd_rad_get_auth_server-
[983] __auth_ctx_svr_push-Added addr 10.171.1.158:1813 from rad 'FAC'
[822] __fnbamd_rad_get_next_addr-Next available address of rad 'FAC': 10.171.1.158:1813.

[2073:root:c][1001] __auth_ctx_start-Connection starts FAC:10.171.1.158, addr 10.171.1.158:1813 proto: UDP

If there is no response from the first server, FortiGate will try the next server:

[1001] __auth_ctx_start-Connection starts FAC:10.171.1.158, addr 10.171.1.158:1813 proto: UDP

[646] __rad_conn_timeout-Connction with FAC:10.171.1.158 timed out.

[822] __fnbamd_rad_get_next_addr-Next available address of rad 'FAC': 10.171.2.146:1813.
[1001] __auth_ctx_start-Connection starts FAC:10.171.2.146, addr 10.171.2.146:1813 proto: UDP

FortiGate will always try the first server on the list to send accounting logs in any situation.

On the previous version (tested on v7.2.6), FortiGate will send logs to all servers when they were just created or after reboot:

[2381] fnbamd_rad_acct_dns_cb-10.171.1.158->10.171.1.158
[2607] __fnbamd_acct_send_pkt-Sent radius acct req to server '10.171.1.158': fd=10, IP=10.171.1.158:1813 code=4 id=1 len=103 action=1
[2414] fnbamd_radius_acct_send-
[2381] fnbamd_rad_acct_dns_cb-10.171.2.146->10.171.2.146
[2607] __fnbamd_acct_send_pkt-Sent radius acct req to server '10.171.2.146': fd=10, IP=10.171.2.146:1813 code=4 id=2 len=103 action=1
[1471] create_acct_session-Acct type 6 session created
[527] fnbamd_acct_handle_result-Received valid ack for id 1 from 10.171.1.158
[527] fnbamd_acct_handle_result-Received valid ack for id 2 from 10.171.2.146

Action=1 is for RADIUS Accounting START:

If all servers respond, FortiGate will cache only one of them to send the logs to. It could be the second server on the list.

Logs will always be sent there until FortiGate do not receive any feedback. Only then the FortiGate will try the next server on the list.

In this example, subsequent logs will always be sent to 10.171.2.146, until the server stops responding.

At that point, FortiGate will send the logs to 10.171.1.158 and stay that way.

[2607] __fnbamd_acct_send_pkt-Sent radius acct req to server '10.171.2.146': fd=10, IP=10.171.2.146:1813 code=4 id=4 len=115 action=2
[1471] create_acct_session-Acct type 7 session created
[527] fnbamd_acct_handle_result-Received valid ack for id 4 from 10.171.2.146

Action=2 is RADIUS Accounting STOP.

Just in case there is a need to send logs to all servers at the same time, it is necessary to enable additional command:

(# config vdom)

(# edit <vdom>)

# config user radius

# edit <radius server>

# set acct-all-servers enable

# end

Related article:

Technical Tip: How to ensure FortiGate sends RADIUS Accounting packets to multiple servers