This article describes how FortiGate determines which RADIUS Server will receive the RADIUS Accounting logs.
Scope
FortiGate version 7.4.3.
Solution
If FortiGate has multiple RADIUS Accounting servers, by default FortiGate will only send Accounting logs to 1 server at a time:
config user radius edit "FAC" set server "10.171.1.158" set secret ENC AVSyGfVA config accounting-server edit 1 set status enable set server "10.171.1.158" set secret ENC OrTCtyDL next edit 2 set status enable set server "10.171.2.146" set secret ENC qoCCW04T next end next end
When RADIUS Accounting servers are newly created, FortiGate will always send logs to the first server on the list.
[1093] fnbamd_cfg_get_radius_acct_list-Loaded RADIUS server 'FAC' [1102] fnbamd_cfg_get_radius_acct_list-Total rad servers to try: 1 [950] fnbamd_rad_get_auth_server- [983] __auth_ctx_svr_push-Added addr 10.171.1.158:1813 from rad 'FAC' [822] __fnbamd_rad_get_next_addr-Next available address of rad 'FAC': 10.171.1.158:1813. [2073:root:c][1001] __auth_ctx_start-Connection starts FAC:10.171.1.158, addr 10.171.1.158:1813 proto: UDP
If there is no response from the first server, FortiGate will try the next server:
[1001] __auth_ctx_start-Connection starts FAC:10.171.1.158, addr 10.171.1.158:1813 proto: UDP [646] __rad_conn_timeout-Connction with FAC:10.171.1.158 timed out. [822] __fnbamd_rad_get_next_addr-Next available address of rad 'FAC': 10.171.2.146:1813. [1001] __auth_ctx_start-Connection starts FAC:10.171.2.146, addr 10.171.2.146:1813 proto: UDP
FortiGate will always try the first server on the list to send accounting logs in any situation.
On the previous version (tested on v7.2.6), FortiGate will send logs to all servers when they were just created or after reboot:
[2381] fnbamd_rad_acct_dns_cb-10.171.1.158->10.171.1.158 [2607] __fnbamd_acct_send_pkt-Sent radius acct req to server '10.171.1.158': fd=10, IP=10.171.1.158:1813 code=4 id=1 len=103 action=1 [2414] fnbamd_radius_acct_send- [2381] fnbamd_rad_acct_dns_cb-10.171.2.146->10.171.2.146 [2607] __fnbamd_acct_send_pkt-Sent radius acct req to server '10.171.2.146': fd=10, IP=10.171.2.146:1813 code=4 id=2 len=103 action=1 [1471] create_acct_session-Acct type 6 session created [527] fnbamd_acct_handle_result-Received valid ack for id 1 from 10.171.1.158 [527] fnbamd_acct_handle_result-Received valid ack for id 2 from 10.171.2.146
Action=1 is for RADIUS Accounting START:
If all servers respond, FortiGate will cache only one of them to send the logs to. It could be the second server on the list.
Logs will always be sent there until FortiGate do not receive any feedback. Only then the FortiGate will try the next server on the list.
In this example, subsequent logs will always be sent to 10.171.2.146, until the server stops responding.
At that point, FortiGate will send the logs to 10.171.1.158 and stay that way.
[2607] __fnbamd_acct_send_pkt-Sent radius acct req to server '10.171.2.146': fd=10, IP=10.171.2.146:1813 code=4 id=4 len=115 action=2 [1471] create_acct_session-Acct type 7 session created [527] fnbamd_acct_handle_result-Received valid ack for id 4 from 10.171.2.146
Action=2 is RADIUS Accounting STOP.
Just in case there is a need to send logs to all servers at the same time, it is necessary to enable additional command:
(# config vdom) (# edit <vdom>) # config user radius # edit <radius server> # set acct-all-servers enable # end