beautypg.com

Radius accounting security, Radius accounting and high availability, Handling unresponsive radius servers – Amer Networks E5Web GUI User Manual

Page 86

background image

Port: 1813

Retry Timeout: 2

Shared Secret: 231562514098273

Confirm Secret: 231562514098273

Routing Table: main

3.

Click OK

2.3.5. RADIUS Accounting Security

Communication between cOS Core and any RADIUS accounting server is protected by the use of
a shared secret. This secret is never sent over the network but instead a 16 byte long
Authenticator code is calculated using a one way MD5 hash function and this is used to
authenticate accounting messages.

The shared secret is case sensitive, can contain up to 100 characters, and must be typed exactly
the same for cOS Core and for the RADIUS server.

Messages are sent using the UDP protocol and the default port number used is 1813 although
this is user configurable.

2.3.6. RADIUS Accounting and High Availability

In an HA cluster, accounting information is synchronized between the active and passive
Clavister Security Gateways. This means that accounting information is automatically updated on
both cluster members whenever a connection is closed.

Special Accounting Events

Two special accounting events are also used by the active unit to keep the passive unit
synchronized:

An AccountingStart event is sent to the inactive member in an HA setup whenever a
response has been received from the accounting server. This specifies that accounting
information should be stored for a specific authenticated user.

A problem with accounting information synchronization could occur if an active unit has an
authenticated user for whom the associated connection times out before it is synchronized
on the inactive unit.

To get around this problem, a special AccountingUpdate event is sent to the passive unit on
a timeout and this contains the most recent accounting information for connections.

2.3.7. Handling Unresponsive RADIUS Servers

It can happen that a RADIUS client sends an AccountingRequest START packet which a RADIUS
server never replies to. If this happens, cOS Core will re-send the request after the user-specified
number of seconds. This will mean, however, that a user will still have authenticated access while
cOS Core is trying to contact to the accounting server.

Chapter 2: Management and Maintenance

86

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: