Nathan Miller <[EMAIL PROTECTED]> wrote: > I am having a problem with a new client. Their radius server is sending > back the requests I proxy to them using random ports. It always arrives on > my port 1647, but is sent using a random port on their side.
That's a violation of the RFC. > Initially I was getting these errors (stripped from -xxx debug log) > Tue Feb 25 11:04:15 2003 : Error: Ignoring request from unknown proxy > <ipaddie>:12386 That's a different error. The reply from the home server came from one which wasn't listed in in proxy.conf. So not only are they sending from random ports, they're sending from random IP's, too. > The rest of my proxy customers always send the request back using the same > port which the request was proxied to them on, which is usually 1645 or > 1812. As you can see, this particular request arrived from port 12386 > which seems to be random port #'s above 10000. My first assumption is this > has something to do w/ laod balancing software on their side. Probably. > My first and most important question is, is there a work-around perhaps so > I can get this customer live w/o them fixing their radius? No. The proxy requests are keyed by port & IP. So if the home server responds from a *different* port & IP, there's no way of figuring out which request matches that reply. > Should freeradius be accepting these connections, or is it in fact their > radius which is violating the spec? Their system should be fixed. It's a complete and total violation of the RADIUS spec. It's impossible to fix, and even if you could, it would create severe security problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
