Clavister cOS Core Administration Guide

Chapter 2: Management and Maintenance
If the Allow on error setting is enabled, an already authenticated user's session will be
unaffected. If it is not enabled, any affected user will automatically be logged out even if they
have already been authenticated.
2.3.8. Accounting and System Shutdowns
In the case that the client for some reason fails to send a RADIUS AccountingRequest STOP
packet, the accounting server will never be able to update its user statistics, but will most likely
believe that the session is still active. This situation should be avoided.
In the case that the Clavister Security Gateway administrator issues a shutdown command while
authenticated users are still online, the AccountingRequest STOP packet will potentially never be
sent. To avoid this, the advanced setting Logout at shutdown allows the administrator to
explicitly specify that cOS Core must first send a STOP message for any authenticated users to
any configured RADIUS servers before commencing with the shutdown.
2.3.9. Limitations with NAT
The User Authentication module in cOS Core is based on the user's IP address. Problems can
therefore occur with users who have the same IP address.
This can happen, for example, when several users are behind the same network using NAT to
allow network access through a single external IP address. This means that as soon as one user is
authenticated, traffic coming through that NAT IP address could be assumed to be coming from
that one authenticated user even though it may come from other users on the same network.
cOS Core RADIUS Accounting will therefore gather statistics for all the users on the network
together as though they were one user instead of individuals.
2.3.10. Advanced RADIUS Settings
The following advanced settings are available with RADIUS accounting:
Allow on error
If there is no response from a configured RADIUS accounting server when sending accounting
data for a user that has already been authenticated, then enabling this setting means that the
user will continue to be logged in.
Disabling the setting will mean that the user will be logged out if the RADIUS accounting server
cannot be reached even though the user has been previously authenticated.
Default: Enabled
Logout at shutdown
If there is an orderly shutdown of the Clavister Security Gateway by the administrator, then cOS
Core will delay the shutdown until it has sent RADIUS accounting STOP messages to any
configured RADIUS server.
If this option is not enabled, cOS Core will shutdown even though there may be RADIUS
accounting sessions that have not been correctly terminated. This could lead to the situation
that the RADIUS server will assume users are still logged in even though their sessions have been
terminated.
Default: Enabled
80