We migrated over to an IP which was not behind their content switch and everything is working great now. =)
Appreciate everyone's responses.
At 02:15 PM 2/25/2003 -0600, you wrote:
Sorry for the previous post!
If they aren't using a load balancer, then their software is opening the port with a port number of '0' rather than a
specified port. This is correct for many client protocols (mostly using TCP rather than UDP), but definitely not for
RADIUS.
Tim
- -----Original Message-----
- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Nathan Miller
- Sent: Tuesday, February 25, 2003 2:06 PM
- To: [EMAIL PROTECTED]
- Subject: Re: Proxy Server sending from random ports
- Alan, I truly appreciate the speedy reply. I confirmed the requests are definitely always coming from the same IP address, it's just the port # which is changing. I had disabled some error checking code (section which confirms the port #) in freeradius to get the 2nd error I listed. I will notify them that their radius server is definitely violating the RFC. Thanks.
- At 09:54 AM 2/25/2003 -0500, you wrote:
- Nathan Miller <[EMAIL PROTECTED]> wrote:
- > I am having a problem with a new client. Their radius server is sending
- > back the requests I proxy to them using random ports. It always arrives on
- > my port 1647, but is sent using a random port on their side.
- That's a violation of the RFC.
- > Initially I was getting these errors (stripped from -xxx debug log)
- > Tue Feb 25 11:04:15 2003 : Error: Ignoring request from unknown proxy
- > <ipaddie>:12386
- That's a different error. The reply from the home server came from
- one which wasn't listed in in proxy.conf.
- So not only are they sending from random ports, they're sending from
- random IP's, too.
- > The rest of my proxy customers always send the request back using the same
- > port which the request was proxied to them on, which is usually 1645 or
- > 1812. As you can see, this particular request arrived from port 12386
- > which seems to be random port #'s above 10000. My first assumption is this
- > has something to do w/ laod balancing software on their side.
- Probably.
- > My first and most important question is, is there a work-around perhaps so
- > I can get this customer live w/o them fixing their radius?
- No. The proxy requests are keyed by port & IP. So if the home
- server responds from a *different* port & IP, there's no way of
- figuring out which request matches that reply.
- > Should freeradius be accepting these connections, or is it in fact their
- > radius which is violating the spec?
- Their system should be fixed. It's a complete and total violation
- of the RADIUS spec. It's impossible to fix, and even if you could, it
- would create severe security problems.
- Alan DeKok.
- -
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- ------
- Nathan Miller - [EMAIL PROTECTED]
- VISP Technologies
- Building The Nation's Largest Network of Successful ISPs.
