HEEEEEEEEELP
Sorry to disturb. This is my simplified problem, Which I can't change the machines I don't admin. I admin a proxy radius which queryies (for want of a better word) a master radius, I send the request and get back a response from a totally different master radius machine, obviously with different IP. I am sure by now most of you will see my problem, I just drop any response from the second master as this is not the IP I sent the response to and everyone is failing. I totally understand this is against rfc2865 and rfc2138, but this is a huge world wide company and they will not change the way this is done for the sake of little old me, so I have to be flexible. Is there a piece of software which will allow me, or does anyone have a modified version of freeradius which allows me to do this. There are ways round this I am sure, but I really would like advise from you guys. I am actually begging now. Thanks in advance Stu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HEEEEEEEEELP
On Thu, 21 Feb 2002, Rainer Clasen wrote: stuartc wrote: I admin a proxy radius which queryies (for want of a better word) a master radius, I send the request and get back a response from a totally different master radius machine, obviously with different IP. I am sure by now most of you will see my problem, I just drop any response from the second master as this is not the IP I sent the response to and everyone is failing. I totally understand this is against rfc2865 and rfc2138, but this is a huge world wide company and they will not change the way this is done for the sake of little old me, so I have to be flexible. Do you always get the reply from the same IP? How about sending your request to this IP? No it has to be done aboveSend a request one ip and get a response from one of two different masters... so I could infact send a request to one master and get a response from there other, there is no way round it. I am a dead man, simple as that... Rainer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HEEEEEEEEELP
stuartc [EMAIL PROTECTED] wrote: No it has to be done aboveSend a request one ip and get a response from one of two different masters... so I could infact send a request to one master and get a response from there other, there is no way round it. I'm *amazed* that this works for any other RADIUS server which uses their services. Do the other servers really allow responses from *any* IP address? I am a dead man, simple as that... No, you just have some coding to do. You've got to figure out which IP's are the problem. Here's what you do. In 'proxy.conf', add another realm for the bullshit IP address sending the response. The name of the realm doesn't matter, as it won't be used for anything but fixing up the bullshit. Give this realm the SAME secret as the realm which you're sending the packets to. This is important. Go to src/main/radiusd.c, function rad_process(). Look for: case PW_AUTHENTICATION_ACK: case PW_ACCESS_CHALLENGE: case PW_AUTHENTICATION_REJECT: case PW_ACCOUNTING_RESPONSE: ... break; Just BEFORE the 'break' add: if (request-packet-src_ipaddr == htonl(0x01020304)) { request-packet-src_ipaddr = htonl(0x05060708); } where the FIRST IP address '0x01020304' (for 1.2.3.4) is the IP of the bullshit server sending the responses, and the SECOND IP is the IP of the server you sent the request to. Note that you CANNOT put the addresses in as '1.2.3.4', you've got to convert them by hand to a 32-bit number, and put that number in, instead. If there is more than one problem IP, add more 'if' statements. As the IP's are hard-coded into the server, you will have to edit them recompile the server if they change. But it should work. If you ever meet in person the people who created this stupidity, you have my permission to tell them exactly what I think of their service: shoddy, and non-standards compliant. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HEEEEEEEEELP
On Thu, Feb 21, 2002 at 11:44:02AM -0500, Alan DeKok wrote: stuartc [EMAIL PROTECTED] wrote: No it has to be done aboveSend a request one ip and get a response from one of two different masters... so I could infact send a request to one master and get a response from there other, there is no way round it. I'm *amazed* that this works for any other RADIUS server which uses their services. Do the other servers really allow responses from *any* IP address? Is this a good time to inquire whether Freeradius CVS fixes the bug where the server doesn't set the source address in its response packets, causing problems if radiusd is running on a server with multiple IP addresses? :) It may actually be fixed in 0.4 for that matter, I don't know; we ran into problems with earlier versions because the Linux kernel was choosing a different 'best' address to use when replying. Particularly an issue for us because we're in the middle of transitioning out of an IP address block. Steve Langasek postmodern programmer msg03524/pgp0.pgp Description: PGP signature
Re: HEEEEEEEEELP
Steve Langasek [EMAIL PROTECTED] wrote: Is this a good time to inquire whether Freeradius CVS fixes the bug where the server doesn't set the source address in its response packets, causing problems if radiusd is running on a server with multiple IP addresses? :) The server doesn't set the source IP address. Hmm... if 'bind_address' is set, then the proxy fd *should* be bound to that IP address, too. That currently isn't done. Luckily, it's a ~5 line patch. It's probably a good idea to do. Can you supply a patch? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HEEEEEEEEELP
Alan DeKok [EMAIL PROTECTED] wrote: Hmm... if 'bind_address' is set, then the proxy fd *should* be bound to that IP address, too. That currently isn't done. Luckily, it's a ~5 line patch. Never mind... I read a little more of the code, and it *is* done. So if you set 'bind_address = 1.2.3.4' in the configuration file, then the proxy requests will come FROM that IP address, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HEEEEEEEEELP
Steve Langasek [EMAIL PROTECTED] wrote: Freeradius receives a request from a NAS sent to IP address a.b.c.d; it handles the request, and sends back a reply without explicitly choosing a source IP address for the socket -- it may be the right IP address, it may be (depending on what the kernel decides) a wrong one. Ah, OK. That's why some systems have a 'sendtofrom', where you can specify the source IP address. The solution for FreeRADIUS would be to extend the 'bind_address' to something like a colon-seperated list of addresses. The server core would then have to be modified to keep track of multiple sockets, and to do a select() across all of them. Not much else in the server would change, as packets are sent out the same fd from which they're received. Just a wishlist request, really, and a tongue-in-cheek response to your=20 post -- maybe the bass-ackwards radius server the original poster is connecting to is a multihomed freeradius server? ;) Hmm... I can't help but feel at least partially responsible for such a situatuion. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html