RE: NAS-IP vs srcIP
Hi everyone - Can anyone think of a reason why the NAS-IP and the scr-IP of the access-req packet should not be the same? One of NAS is on the other side of a load balancer, source IP is not the same as NAS-IP. John This message is confidential to Prodea Systems, Inc unless otherwise indicated or apparent from its nature. This message is directed to the intended recipient only, who may be readily determined by the sender of this message and its contents. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient:(a)any dissemination or copying of this message is strictly prohibited; and(b)immediately notify the sender by return message and destroy any copies of this message in any form(electronic, paper or otherwise) that you have.The delivery of this message and its information is neither intended to be nor constitutes a disclosure or waiver of any trade secrets, intellectual property, attorney work product, or attorney-client communications. The authority of the individual sending this message to legally bind Prodea Systems is neither apparent nor implied,and must be independently verified. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP vs srcIP
On 04/01/2010 05:39 PM, Marlon Duksa wrote: Hi everyone - Can anyone think of a reason why the NAS-IP and the scr-IP of the access-req packet should not be the same? If the NAS-IP is configurable in the NAS, then the NAS-IP can be set to the IP address other than the src-ip of the NAS that is used in reqular FreeRadius accounting/authorization packets. The source IP address of the NAS is normally the native interface address from which access-req was sent (but it can be configurable). The NAS-IP would be used to address NAS in CoA requests sent from the FreeRadius. We need this behavior to address certain deployment requirements. for example: IP prot: srcIP: 1.1.1.1 dstIP: 2.2.2.2 Radius prot: code: access-request (1) AVPs: NAS-IP-Address: 3.3.3.3 scrIP != NAS-IP-Address Some NASes have 1 IP and you can select which source IP goes into the NAS-IP-Address; think for example a router with 2 connections to the network and a loopback interface used for management. The UDP source *may* be the loopback, or the IP of the outbound interface, depending on the NAS implementation. If the latter, source IP can obviously change as routing changes. I guess there are other reason, like NAT. Thanks, Marlon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP vs srcIP
Marlon Duksa wrote: Can anyone think of a reason why the NAS-IP and the scr-IP of the access-req packet should not be the same? Many. There is *no* requirement in RADIUS that they be identical. When a packet is proxied, the NAS-IP-Address stays the same, but the source IP changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP vs srcIP
--On 01 April 2010 09:39 -0700 Marlon Duksa mdu...@gmail.com wrote: Hi everyone - Can anyone think of a reason why the NAS-IP and the scr-IP of the access-req packet should not be the same? If the NAS-IP is configurable in the NAS, then the NAS-IP can be set to the IP address other than the src-ip of the NAS that is used in reqular FreeRadius accounting/authorization packets. The source IP address of the NAS is normally the native interface address from which access-req was sent (but it can be configurable). The NAS-IP would be used to address NAS in CoA requests sent from the FreeRadius. We need this behavior to address certain deployment requirements. Radius proxying! An incoming radius packet may come via a proxy. Therefore that packet's src.ip = the proxies IP. The NAS-IP-Address attribute is set to whatever the NAS wants to send. Whether you can address a COA to the NAS-IP-Address depends on whether: * The NAS chose/was configured to send the IP it's COA listener is bound to in the NAS-IP-Address attribute. * Whether you can access that IP/port directly - If your NAS is configured only to talk via a RADIUS proxy, and everything else is firewalled out, direct replies (COA or otherwise) won't work. -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP vs srcIP
Plenty of reasons - but one you won't have control over even in CoA is that it could be proxied. The NAS-IPAddress is used in the CoA request packet to tell the NAS which client should receive the packet. Marlon Duksa wrote: Hi everyone - Can anyone think of a reason why the NAS-IP and the scr-IP of the access-req packet should not be the same? If the NAS-IP is configurable in the NAS, then the NAS-IP can be set to the IP address other than the src-ip of the NAS that is used in reqular FreeRadius accounting/authorization packets. The source IP address of the NAS is normally the native interface address from which access-req was sent (but it can be configurable). The NAS-IP would be used to address NAS in CoA requests sent from the FreeRadius. We need this behavior to address certain deployment requirements. for example: IP prot: srcIP: 1.1.1.1 dstIP: 2.2.2.2 Radius prot: code: access-request (1) AVPs: NAS-IP-Address: 3.3.3.3 scrIP != NAS-IP-Address Thanks, Marlon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html