Radius Accounting Security; Radius Accounting And High Availability; Handling Unresponsive Radius Servers - D-Link NetDefendOS User Manual

Network security firewall

Hide thumbs Also See for NetDefendOS:

Table of Contents

Shared Secret: 231562514098273

Confirm Secret: 231562514098273

Routing Table: main

8.9.5. RADIUS Accounting Security

Communication between NetDefendOS and any RADIUS accounting server is protected by the

use of a shared secret. This secret is never sent over the network but instead a 16 byte long

Authenticator code is calculated using a one way MD5 hash function and this is used to

authenticate accounting messages.

The shared secret is case sensitive, can contain up to 100 characters, and must be typed exactly

the same for NetDefendOS and for the RADIUS server.

Messages are sent using the UDP protocol and the default port number used is 1813 although

this is user configurable.

In an HA cluster, accounting information is synchronized between the active and passive

NetDefend Firewalls. This means that accounting information is automatically updated on both

cluster members whenever a connection is closed.

Special Accounting Events

Two special accounting events are also used by the active unit to keep the passive unit

synchronized:

An AccountingStart event is sent to the inactive member in an HA setup whenever a

response has been received from the accounting server. This specifies that accounting

information should be stored for a specific authenticated user.

A problem with accounting information synchronization could occur if an active unit has an

authenticated user for whom the associated connection times out before it is synchronized

on the inactive unit.

To get around this problem, a special AccountingUpdate event is sent to the passive unit on

a timeout and this contains the most recent accounting information for connections.

It can happen that a RADIUS client sends an AccountingRequest START packet which a RADIUS

server never replies to. If this happens, NetDefendOS will re-send the request after the

user-specified number of seconds. This will mean, however, that a user will still have

authenticated access while NetDefendOS is trying to contact to the accounting server.

Three Connection Attempts are Made

Chapter 8: User Authentication

Show Quick Links

Table of Contents