Handling Unresponsive Servers; Accounting And System Shutdowns; Limitations With Nat'ed Networks - D-Link NetDefend DFL-210 User Manual

2.3.7. Handling Unresponsive Servers

In an HA cluster, accounting information is synched between the active and passive D-Link Fire-
walls. This means that accounting information is automatically updated on both cluster members
whenever a connection is closed. Two special accounting events are also used by the active unit to
keep the passive unit synchronized:
• An AccountingStart event is sent to the inactive member in an HA setup whenever a response
has been received from the accounting server. This specifies that accounting information should
be stored for a specific authenticated user.
• A lack of accounting information synching could occur if an active unit has an authenticated
user for whom the associated connection times out before it is synched to the inactive unit. To
get around this problem, a special AccountingUpdate event is sent to the passive unit on a
timeout and this contains the most recent accounting information for connections.
2.3.7. Handling Unresponsive Servers
A question arises in the case of a client that sends an AccountingRequest START packet which the
RADIUS server never replies to. CorePlus will re-send the request after the user-specified number
of seconds. This will however mean that a user will still have authenticated access while CorePlus is
trying to contact to the accounting server.
Only after CorePlus has made three attempts to reach the server will it conclude that the accounting
server is unreachable. The administrator can use the CorePlus advanced setting AllowAuthIfNoAc-
countingResponse to determine how this situation is handled. If this setting is enabled then an
already authenticated user's session will be unaffected. If it is not enabled, any effected user will
automatically be logged out even if they have already been authenticated.

2.3.8. Accounting and System Shutdowns

In the case that the client for some reason fails to send a RADIUS AccountingRequest STOP packet
(due to, for example, the accounting server will never be able to update its user statistics, but will
most likely believe that the session is still active and this situation should be avoided.
In the case that the D-Link Firewall administrator issues a shutdown command while authenticated
users are still online, the AccountingRequest STOP packet will potentially never be sent. To avoid
this, NetDefendOS has the advanced setting LogOutAccUsersAtShutdown. This setting allows the
administrator to explicitly specify that NetDefendOS must first send a STOP message for any au-
thenticated users to any configured RADIUS servers before commencing with the shutdown.

2.3.9. Limitations with NAT'ed Networks

The User Authentication module in NetDefendOS is based on the user's IP address. Problems can
therefore occur with users who have the same IP address.
This can happen, for instance, when several users are behind the same network and which uses NAT
to allow network access. This means that as soon as one user is authenticated, all users from the
same network are also authenticated. NetDefendOS RADIUS Accounting will therefore gather stat-
istics for all the users on the network together as though they were one user instead of individuals.
Chapter 2. Operations and Maintenance
27