D'AVELLA STEFANO wrote: > All following ipv6 addresses are to be read with global scope (but as I > said, if they were ipv4 it would be the same I think) > > Server address : 2001::400 > Proxy (interface to the server) 2001::300 > Proxy (interface to the client) 2000::300 > Client 2000:200 > > Now when I try to run the test what it happens is that the client sends > the auth request, the proxy correctly forwards it to the server, and the > server correctly authenticate the client. The problem is that the proxy > sends the proxied message with the address 2000::300, not 2001::300. > When the server tries to reply to the proxy, it tries to send the packet > to 2000::300 but since it is a different network there is no route for it.
Then your routing tables are broken. You have a route FROM 2000::300 to the server. This is why that source IP is being chosen by the OS for proxied packets. You don't, however, have a route BACK, which is why the packets never make it back. > I have been searching for a while in the users / radiusd.conf / > clients.conf / proxy.conf for a option to set the proxy ip address when > proxying messages. It seemed to me that I saw something like that , but > if I did I just can't find it again. You can't fix routing issues by editing FreeRADIUS configuration files. > P.S: another quick question. It is possible with some logging option (or > in other ways) to save the attributes that the server adds to the auth > accept message locally in a file in the proxy machine? I saw that there > is some options to add/modify the attributes in the reply, but it is > possible to save them in a file? See the "detail" module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html