Handling Unresponsive Radius Servers; Accounting And System Shutdowns; Limitations With Nat - D-Link DFL-1660 User Manual

Network security firewall
Hide thumbs Also See for DFL-1660:
Table of Contents

Advertisement

2.3.7. Handling Unresponsive RADIUS
Servers
In an HA cluster, accounting information is synchronized between the active and passive NetDefend
Firewalls. This means that accounting information is automatically updated on both cluster members
whenever a connection is closed.
Special Accounting Events
Two special accounting events are also used by the active unit to keep the passive unit
synchronized:
An AccountingStart event is sent to the inactive member in an HA setup whenever a response
has been received from the accounting server. This specifies that accounting information should
be stored for a specific authenticated user.
A problem with accounting information synchronization could occur if an active unit has an
authenticated user for whom the associated connection times out before it is synchronized on the
inactive unit.
To get around this problem, a special AccountingUpdate event is sent to the passive unit on a
timeout and this contains the most recent accounting information for connections.

2.3.7. Handling Unresponsive RADIUS Servers

It can happen that a RADIIUS client sends an AccountingRequest START packet which a RADIUS
server never replies to. If this happens, NetDefendOS will re-send the request after the
user-specified number of seconds. This will mean, however, that a user will still have authenticated
access while NetDefendOS is trying to contact to the accounting server.
Three Connection Attempts are Made
Only after NetDefendOS has made three attempts to reach the server will it conclude that the
accounting server is unreachable. The administrator can use the NetDefendOS advanced setting
Allow on error to determine how this situation is handled.
If the Allow on error setting is enabled, an already authenticated user's session will be unaffected.
If it is not enabled, any affected user will automatically be logged out even if they have already been
authenticated.

2.3.8. Accounting and System Shutdowns

In the case that the client for some reason fails to send a RADIUS AccountingRequest STOP packet,
the accounting server will never be able to update its user statistics, but will most likely believe that
the session is still active. This situation should be avoided.
In the case that the NetDefend Firewall administrator issues a shutdown command while
authenticated users are still online, the AccountingRequest STOP packet will potentially never be
sent. To avoid this, the advanced setting Logout at shutdown allows the administrator to explicitly
specify that NetDefendOS must first send a STOP message for any authenticated users to any
configured RADIUS servers before commencing with the shutdown.

2.3.9. Limitations with NAT

The User Authentication module in NetDefendOS is based on the user's IP address. Problems can
therefore occur with users who have the same IP address.
This can happen, for example, when several users are behind the same network using NAT to allow
network access through a single external IP address. This means that as soon as one user is
authenticated, traffic coming through that NAT IP address could be assumed to be coming from that
Chapter 2. Management and Maintenance
70

Hide quick links:

Advertisement

Table of Contents
loading

This manual is also suitable for:

Dfl-2560Dfl-2560gDfl-260eDfl-860e

Table of Contents