Accounting and system shutdowns, Limitations with nat, Advanced radius settings – Amer Networks E5Web GUI User Manual

Three Connection Attempts are Made

Only after cOS Core has made three attempts to reach the server will it conclude that the
accounting server is unreachable. The administrator can use the cOS Core advanced setting
Allow on error to determine how this situation is handled.

If the Allow on error setting is enabled, an already authenticated user's session will be
unaffected. If it is not enabled, any affected user will automatically be logged out even if they
have already been authenticated.

2.3.8. Accounting and System Shutdowns

In the case that the client for some reason fails to send a RADIUS AccountingRequest STOP
packet, the accounting server will never be able to update its user statistics, but will most likely
believe that the session is still active. This situation should be avoided.

In the case that the Clavister Security Gateway administrator issues a shutdown command while
authenticated users are still online, the AccountingRequest STOP packet will potentially never be
sent. To avoid this, the advanced setting Logout at shutdown allows the administrator to
explicitly specify that cOS Core must first send a STOP message for any authenticated users to
any configured RADIUS servers before commencing with the shutdown.

2.3.9. Limitations with NAT

The User Authentication module in cOS Core is based on the user's IP address. Problems can
therefore occur with users who have the same IP address.

This can happen, for example, when several users are behind the same network using NAT to
allow network access through a single external IP address. This means that as soon as one user is
authenticated, traffic coming through that NAT IP address could be assumed to be coming from
that one authenticated user even though it may come from other users on the same network.
cOS Core RADIUS Accounting will therefore gather statistics for all the users on the network
together as though they were one user instead of individuals.

2.3.10. Advanced RADIUS Settings

The following advanced settings are available with RADIUS accounting:

Allow on error

If there is no response from a configured RADIUS accounting server when sending accounting
data for a user that has already been authenticated, then enabling this setting means that the
user will continue to be logged in.

Disabling the setting will mean that the user will be logged out if the RADIUS accounting server
cannot be reached even though the user has been previously authenticated.

Default: Enabled

Logout at shutdown

If there is an orderly shutdown of the Clavister Security Gateway by the administrator, then cOS
Core will delay the shutdown until it has sent RADIUS accounting STOP messages to any
configured RADIUS server.

Chapter 2: Management and Maintenance

87