i need to know how the ip addresses in the eap-tls packets are modified in order to allow proxying between two different domains.
eap/tls packets do not contain any IP addresses. no ip addresses are ever modified.
My scenario is the following:
- two domains with an internal radius server and a border proxy.
- if the client is recognised as external, his request must be proxied to the proxy of the other domain.
The problem is that both radius servers and users have private addresses and only proxies have public ones.
you have to proxy each request two or even three times, depending on where your user data bases are attached to and since your radius servers can't reach the other domain's proxy by themselves.
so, if the request comes at the radius server of the domain A, you proxy it first from the radius-server A to proxy A, then from proxy A to proxy B, and finally from proxy B to the radius-server B (if your data base for the domain B is only reachable from the radius server B).
So... how does the proxy mask such external but private address in order to have a valid authentication of the remote user?
the private IP addresses of the original request will still be included in some attributes (like e.g. NAS-IP-Address, etc.) but it's basically all. they will never be modified because it is not necessary. i do not really understand why it bothers you at all. just forget the addresses: radius is at the layer 7. thus, what it does is a kind of semantical routing, it is NOT based on any IP addresses (unsubstantial remark: but it optionally *could* be based on these, as a part of your semantical rule).
usually, though, the proxying is merely based on the realm part of the user name. i.e. you have to come up with a consistent naming scheme for the both domains, like e.g. [EMAIL PROTECTED], [EMAIL PROTECTED], etc. (take the email addresses, e.g.) or whatever else. you configure all radius servers and proxies to understand this syntax and to "route" the incoming request to some other server or proxy or to treat it locally depending on the realm part of the username (domainA). see the realm module.
ciao artur
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
