subject:"HEEEEEEEEELP"

HEEEEEEEEELP

2002-02-21 Thread stuartc




Sorry to disturb.

This is my simplified problem, Which I can't change the machines I don't
admin.

I admin a proxy radius which queryies (for want of a better word) a master
radius, I send the request and get back a response from a totally
different master radius machine, obviously with different IP. I am sure by
now most of you will see my problem, I just drop any response from the
second master as this is not the IP I sent the response to and everyone is
failing. I totally understand this is against rfc2865 and rfc2138, but
this is a huge world wide company and they will not change the way this is
done for the sake of little old me, so I have to be flexible.

Is there a piece of software which will allow me, or does anyone have a
modified version of freeradius which allows me to do this.

There are ways round this I am sure, but I really would like advise from
you guys.

I am actually begging now.

Thanks in advance

Stu


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HEEEEEEEEELP

2002-02-21 Thread stuartc


On Thu, 21 Feb 2002, Rainer Clasen wrote:

 stuartc wrote:
  I admin a proxy radius which queryies (for want of a better word) a master
  radius, I send the request and get back a response from a totally
  different master radius machine, obviously with different IP. I am sure by
  now most of you will see my problem, I just drop any response from the
  second master as this is not the IP I sent the response to and everyone is
  failing. I totally understand this is against rfc2865 and rfc2138, but
  this is a huge world wide company and they will not change the way this is
  done for the sake of little old me, so I have to be flexible.

 Do you always get the reply from the same IP? How about sending your
 request to this IP?


No it has to be done aboveSend a request one ip and get a response
from one of two different masters... so I could infact send a request to
one master and get a response from there other, there is no way round it.
I am a dead man, simple as that...




 Rainer





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HEEEEEEEEELP

2002-02-21 Thread Alan DeKok


stuartc [EMAIL PROTECTED] wrote:
 No it has to be done aboveSend a request one ip and get a response
 from one of two different masters... so I could infact send a request to
 one master and get a response from there other, there is no way round it.

  I'm *amazed* that this works for any other RADIUS server which uses
their services.  Do the other servers really allow responses from
*any* IP address?

 I am a dead man, simple as that...

  No, you just have some coding to do.  You've got to figure out which
IP's are the problem.

  Here's what you do.  In 'proxy.conf', add another realm for the
bullshit IP address sending the response.  The name of the realm
doesn't matter, as it won't be used for anything but fixing up the
bullshit.

  Give this realm the SAME secret as the realm which you're sending
the packets to.  This is important.

  Go to src/main/radiusd.c, function rad_process().  Look for:

 case PW_AUTHENTICATION_ACK:
 case PW_ACCESS_CHALLENGE:
 case PW_AUTHENTICATION_REJECT:
 case PW_ACCOUNTING_RESPONSE:
  ...
  break;


  Just BEFORE the 'break' add:


   if (request-packet-src_ipaddr == htonl(0x01020304)) {
  request-packet-src_ipaddr = htonl(0x05060708);
   }


  where the FIRST IP address '0x01020304' (for 1.2.3.4) is the IP of
the bullshit server sending the responses, and the SECOND IP is the IP
of the server you sent the request to.  Note that you CANNOT put the
addresses in as '1.2.3.4', you've got to convert them by hand to a
32-bit number, and put that number in, instead.


  If there is more than one problem IP, add more 'if' statements.  As
the IP's are hard-coded into the server, you will have to edit them 
recompile the server if they change.  But it should work.


  If you ever meet in person the people who created this stupidity,
you have my permission to tell them exactly what I think of their
service:  shoddy, and non-standards compliant.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HEEEEEEEEELP

2002-02-21 Thread Steve Langasek


On Thu, Feb 21, 2002 at 11:44:02AM -0500, Alan DeKok wrote:
 stuartc [EMAIL PROTECTED] wrote:
  No it has to be done aboveSend a request one ip and get a response
  from one of two different masters... so I could infact send a request to
  one master and get a response from there other, there is no way round it.

   I'm *amazed* that this works for any other RADIUS server which uses
 their services.  Do the other servers really allow responses from
 *any* IP address?

Is this a good time to inquire whether Freeradius CVS fixes the bug 
where the server doesn't set the source address in its response packets, 
causing problems if radiusd is running on a server with multiple IP 
addresses? :)

It may actually be fixed in 0.4 for that matter, I don't know; we ran 
into problems with earlier versions because the Linux kernel was 
choosing a different 'best' address to use when replying.  Particularly 
an issue for us because we're in the middle of transitioning out of an 
IP address block.

Steve Langasek
postmodern programmer



msg03524/pgp0.pgp
Description: PGP signature

Re: HEEEEEEEEELP

2002-02-21 Thread Alan DeKok


Steve Langasek [EMAIL PROTECTED] wrote:
 Is this a good time to inquire whether Freeradius CVS fixes the bug
 where the server doesn't set the source address in its response packets,
 causing problems if radiusd is running on a server with multiple IP
 addresses? :)

  The server doesn't set the source IP address.

  Hmm... if 'bind_address' is set, then the proxy fd *should* be bound
to that IP address, too.  That currently isn't done.  Luckily, it's a
~5 line patch.

  It's probably a good idea to do.  Can you supply a patch?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HEEEEEEEEELP

2002-02-21 Thread Alan DeKok


Alan DeKok [EMAIL PROTECTED] wrote:
   Hmm... if 'bind_address' is set, then the proxy fd *should* be bound
 to that IP address, too.  That currently isn't done.  Luckily, it's a
 ~5 line patch.

  Never mind... I read a little more of the code, and it *is* done.

  So if you set 'bind_address = 1.2.3.4' in the configuration file,
then the proxy requests will come FROM that IP address, too.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HEEEEEEEEELP

2002-02-21 Thread Alan DeKok


Steve Langasek [EMAIL PROTECTED] wrote:
 Freeradius receives a request from a NAS sent to IP address a.b.c.d;
 it handles the request, and sends back a reply without explicitly
 choosing a source IP address for the socket -- it may be the right IP
 address, it may be (depending on what the kernel decides) a wrong one.

  Ah, OK.  That's why some systems have a 'sendtofrom', where you can
specify the source IP address.

  The solution for FreeRADIUS would be to extend the 'bind_address' to
something like a colon-seperated list of addresses.  The server core
would then have to be modified to keep track of multiple sockets, and
to do a select() across all of them.

  Not much else in the server would change, as packets are sent out
the same fd from which they're received.

 Just a wishlist request, really, and a tongue-in-cheek response to your=20
 post -- maybe the bass-ackwards radius server the original poster is
 connecting to is a multihomed freeradius server? ;)

  Hmm... I can't help but feel at least partially responsible for such
a situatuion.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

HEEEEEEEEELP

Re: HEEEEEEEEELP

Re: HEEEEEEEEELP

Re: HEEEEEEEEELP

Re: HEEEEEEEEELP

Re: HEEEEEEEEELP

Re: HEEEEEEEEELP

7 matches

Site Navigation

Mail list logo

Footer information