ClearBox Server™ v1.2 User's Guide

Synchronization Concepts

This page describes concepts both for RADIUS and TACACS+ protocols.

Normally, server extension would maintain a "session table" or any other kind of so-called State Server, a list of active users currently logged onto the network. This informationiscollected by the state server from accounting packets. So, when user is authenticated and his session begins, NAS sends an appropriate accounting message (Start message), telling that some user has started a session on a particular NAS, and possibly providing some details about session (port, session type and so on). On receiving of this message, server extension creates an entry about this session in the state server (it may be SQL table, in-memory array or anything else). This table may be used to limit number of concurrent sessions a user is allowed to open or to monitor NAS activity.

Usually, when user's session is terminated (disregarding of termination cause), NAS sends an accounting message (or Stop message), telling that a particular session has ended. On receiving of this message server extension removes an entry about a user from the state server table and possibly records some accounting information.

But it may happen sometimes that Stop message is not send by a NAS (this may happen, for example, if a connection between NAS and a server is poor. RADIUS is more affected by this than TACACS+ as UDP protocol RADIUS is based on is not reliable). This situation when informationin the state server database isout of sync creates a problem of "hanging sessions" which will be never closed (or stopped) and which prevent a user from being authenticated again as it seems to server extension that number of allowed concurrent session is already reached.

These problems arises also in case when the server maintains its own pool of IP addresses. The server allocates an IP address for a user when his session begins and returns an address back to the pool when user's session is terminated. If Stop record is not ever received for a user, his IP address will never be returned to the IP pool.

In order to ensure against loss of data and solve these problems, Synchronization is used by ClearBox Server. It is polling NAS devices for accounting information at regular intervals, getting list of actual sessions. Then this information is provided to server extension to make it synchronize its informationin the state server that it maintains with the information reported by NAS.

Let's look at an example.

Say, server extension has received 5 Start accounting packets and 2 Stop accounting packets, so 3 users are still connected to NAS, and session table is

Port User
2 Bill
4 Ted
7 Alex

Then Ted disconnects, and NAS should send a packet telling that Ted's session ends, but it is not sent.

At this moment, synchronization object, created and maintained by the server, gets list of sessions from the NAS, which consists of 2 entries, and passes this list to server extension.

Server extension compares its table with given list and finds that there's no entry for Ted on the 4th port. So it removes his entry from session table, and it is identical to actual list of sessions.

Synchronization process occurs periodically, and depends on server configuration parameter "Synchronization activity interval".

The name Synchronization object denotes a programmatic object used to communicate with a NAS. As NASes produced by different vendors provides different methods of access to them, synchronization objects have to be created for every type of NAS involved in synchronization process (e.g., one type of object for Cisco routers, another type for Lucent boxes, etc.) or type of access (SNMP, RSH, Finger, etc.).

See Synchronization process from a developer's point of view, Accounting concepts


© 2001-2003 XPerience Technologies. www.xperiencetech.com

Created by chm2web html help conversion utility.