Here is our Scenario which is working now: Some Partners depend on an IPSec tunnel.
+--------------+
| Our |
| RadiusServer |
+--------------+
| |
eth0:1 eth0
10.0.0.10 62.62.62.62
| |
| |
| |
| |
+-<IPSec Tunnel>--+ +-<Internet>--+
| |
| |
+------------------+ +------------------+
| Other Radius Srv | | Other Radius Srv |
| from RaomPartner | | from RaomPartner |
+------------------+ +------------------+
If eth0:1 is another physical device (e.g. eth1) then it is NOT working.
Netstat -uan displays that the radius server is listening on all
(interfaces/ip-addresses) on port 1814.
Sending an request-package to our Roaming Partner is working (from the
correct IP also, but the respond from the Roaming Partner is not
recognized by our Radius Server but tcpdump shows that the Roaming
Partner sends an Respond (either Access Reject or Access Accept) and
that it's incoming on our interface (eth1).
If i move the IP from eth1 to eth0:1 as an alias, all is working again.
Strange is, if i locally connect with netcat to eth1 udp port 1814, our
Radius Server IS answering.
I do not really know where the problem exists, it works with IPAliases,
but i would feel much more secure if we can find a working solution for
eth1 also.
Here is an example from our configuration:
--- SNIP radiusd.conf---
#bind_address = *
#bind_address = 10.0.0.10
listen {
ipaddr = 10.0.0.10
type=auth
}
listen {
ipaddr = 10.0.0.10
type=acct
}
listen {
ipaddr = 62.62.62.62
type=auth
}
listen {
ipaddr = 62.62.62.62
type=acct
}
--- SNIP ---
--- SNIP proxy.conf---
proxy server {
synchronous = no
retry_delay = 10
retry_count = 6
dead_time = 0
default_fallback = no
post_proxy_authorize = no
proxyip = 62.62.62.62
}
realm veryFrightenedRoamingPartner {
type = radius
authhost = 172.172.172.172:1812
accthost = 172.172.172.172:1813
proxyip = 10.10.10.10
secret = "<SECRET>"
}
--- SNIP ---
On Tue, 2004-10-12 at 16:47 +0200, Raimund Sacherer wrote:
> Hi,
>
> i compiled freeradius (1.0.1) with the UDPFROMTO configure option and i
> applied the patch from nicolas
> (http://www.mail-archive.com/[EMAIL PROTECTED]/msg09417.html)
> and now receiving/sending local auth/acct packets with more than one ip
> address works as expected.
>
> There where two problems with proxying, first, i listen to 2 ip
> addresses, if those where on different interfaces (eth0/eth1) it is not
> working, the problem is, the packet is sent to the roamingpartner, but
> the response is not recognized by freeradius (where a local test with
> netcat is recognized), but i can see it clearly with tcpdump.
>
> It works well if these 2 ip addresses are on the same interface (with
> ip-alias).
>
> The second problem with proxying is that it used the interface which was
> defined to send data to the standard gateway as the src-ip address for
> sending proxy-packets.
>
> That was a problem for our scenario, as we have roamingpartners which
> are listening for our packets on the first ip and others on the other,
> therefore i patched freeradius to except in the realm-configuration
> another parameter which tells the proxy_send method which src-ip it
> should use to send the data, this is working and solved this second
> problem, i have the patch attached and would be happy if it made it's
> way into the source.
>
> Technical Detail about the Patch:
> 1. Add Proxy IP Address to CONF_PARSER proxy_config[], MAIN_CONFIG_T and
> into the REALM struct.
>
> 2. In generate_realms check if there is a proxy_ip set for this realm or
> a global (mainconfig.proxy_ipaddr) one. If so, apply it.
>
> 3. In proxy_send check if in the REALM is an IP address set, if so, set
> it in request->proxy->src_ipaddr so we have a src IP.
>
>
> --- snip ---
>
> --- freeradius-1.0.0-pre2/src/include/radiusd.h 2004-10-04
> 10:27:37.000000000 +0200
> +++ /tmp/freeradius-1.0.0-pre2-ewave/src/include/radiusd.h 2004-10-12
> 12:45:24.353286104 +0200
> @@ -124,6 +124,7 @@
> char server[64];
> char acct_server[64];
> uint32_t ipaddr; /* authentication */
> + uint32_t proxy_ipaddr; /* proxy via interface, rsacherer */
> uint32_t acct_ipaddr;
> u_char secret[32];
> time_t last_reply; /* last time we saw a packet */
> @@ -194,6 +195,7 @@
> int proxy_retry_count;
> int proxy_retry_delay;
> int proxy_fallback;
> + char *proxy_ipaddr; /* proxy via interface, rsacherer */
> int reject_delay;
> int status_server;
> int max_request_time;
> --- freeradius-1.0.0-pre2/src/main/mainconfig.c 2004-10-04
> 10:27:38.000000000 +0200
> +++ /tmp/freeradius-1.0.0-pre2-ewave/src/main/mainconfig.c 2004-10-12
> 12:45:16.593465776 +0200
> @@ -76,6 +79,7 @@
> { "dead_time", PW_TYPE_INTEGER, 0, &mainconfig.proxy_dead_time,
> Stringify(DEAD_TIME) },
> { "post_proxy_authorize", PW_TYPE_BOOLEAN, 0,
> &mainconfig.post_proxy_authorize, "yes" },
> { "wake_all_if_all_dead", PW_TYPE_BOOLEAN, 0,
> &mainconfig.wake_all_if_all_dead, "no" },
> + { "proxyip", PW_TYPE_STRING_PTR, 0, &mainconfig.proxy_ipaddr, NULL },
> { NULL, -1, 0, NULL, NULL }
> };
>
> @@ -347,7 +351,7 @@
> CONF_SECTION *cs;
> REALM *my_realms = NULL;
> REALM *c, **tail;
> - char *s, *t, *authhost, *accthost;
> + char *s, *t, *authhost, *accthost, *proxy_ipaddr;
> char *name2;
>
> tail = &my_realms;
> @@ -369,6 +373,28 @@
> c->secret[0] = '\0';
>
> /*
> + * Check first if a realm IP is set, if not
> + * check the Mainconfig item, else it means 0 ;-)
> + * rsacherer
> + */
> + if ((proxy_ipaddr = cf_section_value_find(cs, "proxyip")) == NULL) {
> + proxy_ipaddr = mainconfig.proxy_ipaddr;
> + }
> +
> + if (proxy_ipaddr == NULL) {
> + c->proxy_ipaddr = htonl(INADDR_NONE);
> + } else {
> + c->proxy_ipaddr = ip_getaddr(proxy_ipaddr);
> + if (c->proxy_ipaddr == htonl(INADDR_NONE)) {
> + radlog(L_ERR, "%s[%d]: Host %s not found",
> + filename, cf_section_lineno(cs),
> + proxy_ipaddr);
> + return -1;
> + }
> + }
> +
> +
> + /*
> * No authhost means LOCAL.
> */
> if ((authhost = cf_section_value_find(cs, "authhost")) == NULL) {
> --- freeradius-1.0.0-pre2/src/main/proxy.c 2004-10-04 10:27:38.000000000
> +0200
> +++ /tmp/freeradius-1.0.0-pre2-ewave/src/main/proxy.c 2004-10-12
> 12:45:16.701449360 +0200
> @@ -430,6 +430,14 @@
> request->proxy->timestamp = request->timestamp - (delaypair ?
> delaypair->lvalue : 0);
>
> /*
> + * Add the proxy_ipaddr as the source ip address, if one is set
> + * rsacherer
> + */
> + if (realm->proxy_ipaddr != htonl(INADDR_NONE)) {
> + request->proxy->src_ipaddr = realm->proxy_ipaddr;
> + }
> +
> + /*
> * Do pre-proxying
> */
> rcode = module_pre_proxy(request);
>
signature.asc
Description: This is a digitally signed message part
