Re: Questions about proxy radius on multihomed host
Kostas Zorbadelos wrote: >> There are patches pending against CVS head >> that should fix this. >> > In a portable way? Yes. Much of FreeRADIUS is intended to be portable. It would be annoying to make it non-portable now. > I am reffering to proxy_send in proxy.c Which doesn't matter for UDPFROMTO, because the source IP is chosen by the server from it's configuration (i.e. socket open). Or, the source IP is INADDR_ANY, in which case UDPFROMTO does nothing, and the kernel chooses the source IP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions about proxy radius on multihomed host
On Sun, Dec 03, 2006 at 09:15:54PM -0800, Alan DeKok wrote: > Kostas Zorbadelos wrote: > > on a multihomed Solaris host when radius packets are proxied what is > > their source IP? Is it IP1 or it could also be IP2? > > Uh... that's up to the OS. That's what I also thought. This would have to do with the TCP/IP implementation in the kernel... > There are patches pending against CVS head > that should fix this. > In a portable way? > > I took a look at the sources where I see that in proxy.c a rad_send() > > is used to actually send the packet. rad_send() uses sendto() unless > > WITH_UDPFROMTO is defined in which case sendfromto() is used. In my > > case, WITH_UDPFROMTO is undefined. > > That only matters for packets being received by the server, not > packets it's sending. > I am reffering to proxy_send in proxy.c /* * Relay the request to a remote server. * Returns: * * RLM_MODULE_FAIL: we don't reply, caller returns without replying * RLM_MODULE_NOOP: caller falls through to normal processing * RLM_MODULE_HANDLED : we reply, caller returns without replying */ int proxy_send(REQUEST *request) >From what I can see it has to do with the packets relayed by the server to the remote home server in proxy mode. > > Can I assume that outgoing packets use as source address the one > > listed in the listen directive? > > If that's the only IP used, yes. Otherwise, it's up to the OS to > determine the best source IP for an outgoing packet. > Thanks Alan. -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions about proxy radius on multihomed host
Kostas Zorbadelos wrote: > on a multihomed Solaris host when radius packets are proxied what is > their source IP? Is it IP1 or it could also be IP2? Uh... that's up to the OS. There are patches pending against CVS head that should fix this. > I took a look at the sources where I see that in proxy.c a rad_send() > is used to actually send the packet. rad_send() uses sendto() unless > WITH_UDPFROMTO is defined in which case sendfromto() is used. In my > case, WITH_UDPFROMTO is undefined. That only matters for packets being received by the server, not packets it's sending. > Can I assume that outgoing packets use as source address the one > listed in the listen directive? If that's the only IP used, yes. Otherwise, it's up to the OS to determine the best source IP for an outgoing packet. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Questions about proxy radius on multihomed host
Hello to everyone. I have a question regarding freeradius proxying. My setup is freeradius 1.1.3 on Solaris 9. I have a very simple proxy configuration. The setup is a bit 'weird' in the sense that I have a freeradius server on the machine that acts as a proxy to another radius server running on the same machine (different IP). So the setup is described as Solaris 9 Host -- | IP1 IP2 | | Freeradius<---Proxy---> Other Radius | || -- The Solaris host contains 2 IPs, freeradius is configured with the listen directive to accept authentication requests on IP1, while the other server is listening on IP2. In the other radius, I have configured as client the IP1 but I notice several failures. My question is: on a multihomed Solaris host when radius packets are proxied what is their source IP? Is it IP1 or it could also be IP2? I took a look at the sources where I see that in proxy.c a rad_send() is used to actually send the packet. rad_send() uses sendto() unless WITH_UDPFROMTO is defined in which case sendfromto() is used. In my case, WITH_UDPFROMTO is undefined. sendfromto() is defined in freeradius sources with comments that it works on Linux and FreeBSD 5.x. I have not seen any configuration option that sets the source address of outgoing packets, in case of multihomed hosts. There is only the following comment in radiusd.conf: # bind_address: Make the server listen on a particular IP address, and # send replies out from that address. This directive is most useful # for machines with multiple IP addresses on one interface. # # It can either contain "*", or an IP address, or a fully qualified # Internet domain name. The default is "*" # # As of 1.0, you can also use the "listen" directive. See below for # more information. # Can I assume that outgoing packets use as source address the one listed in the listen directive? Thanks in advance, Kostas -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html