>> *sigh* it seems like such an easy thing to fix, and its not.
>
>IIRC, Cistron radiusd does it by keeping a utmp-like file on the server
>that tracks who's logged in. Trouble is, I don't think (I've not looked
>closely) it has any facility for keeping in sync with the secondary radius
>server...
We have 1 master radius server and a backup (just in case)
We route all radius requests of our current 4 PoP's to our master
radius server.
>so imagine user X logs into a NAS and his start record goes to
>radiusd1. He then logs out, and for some reason, his stop record goes to
>radiusd2.
Why use multiple radius servers ? for performance ?
>Now, assuming most radius auth/acct data goes to radiusd1, user
>X is effectively locked out until you fix the radiusd1 utmp-like file,
>which will probably be just to wipe the file, and then you lose
>multi-login protection for everyone already logged in.
When we detect a multiple login (by means of allreadu logged on the
radutmp file) we double check with SNMP to double check if it's
really so. Since the user is allready logged out on that portmaster
he gets access again.
>I wouldn't trust this sort of thing unless radiusd1 and radiusd2 could
>somehow communicate every few minutes or less to keep the state info in
>sync.
IMHO that's not necessary
Danny
-- Danny ter Haar | Cistron Internet Services | Unix & Internet dth@het.net | finger dth@cistron.nl for PGP-key | specialists == where do you want to go tomorrow ? linux axp www.debian.org == - To unsubscribe, email 'majordomo@livingston.com' with 'unsubscribe portmaster-users' in the body of the message.