At 05:14 PM 5/21/2002 -0700, Florin Andrei wrote:
>What's the difference between proxy and replicate?
>
>I mean, i think i know what it is, but i'm not sure:
>- replicate means, rebuild the request and send it to the authentication
>Radius server; the authentication server sees the request as coming from
>the original NAS (and therefore might apply its own authorisation rules
>based on IPs)
>- proxy means, strip the request from every refference to the initial IP
>of the NAS, and send it to the authentication Radius server; the
>authentication server sees all proxied requests as coming from the
>FreeRadius machine (thinks FreeRadius is the NAS)
>
>Is that correct?
Not quite. :)
Proxy - The request cannot be completed locally and must be sent to another
server ( and a response received from the other server ) for handling. The
proxy server acts as the middle-man. The remote server sees the request
coming from the proxy server. The only indication the remote server has
regarding the origin of the request is via the NAS-IP-Address or NAS-
Identifier. The source IP address of the packet as seen by the remote
server will be the
An Access-Request SHOULD contain a User-Name attribute. It MUST
contain either a NAS-IP-Address attribute or a NAS-Identifier
attribute (or both).
In proxy-mode the proxying server waits for a reply from the remote
server before sending a reply to the NAS.
Replication - done the same as proxying, but the remote server's response
is not used. Replication allows you to send the same data ( say an
accounting packet ) to multiple remote servers. This can be done to keep
accounting data in synch ( or attempt to ).
>If there is such a difference, how do i trigger one or the other
>behaviour?
The normal behaviour when using a realm is to proxy. You can also cause
the server to replicate a packet using the 'Replicate-To-Realm := foobar'
attribute.
>I ask this because i need to trick my authentication Radius servers into
>thinking that the original source of all requests are the Radius
>proxies.
The source-ip of the packets they receive will be the ip of proxying
server. That source-ip is what is used to determine the shared-secret
to use. If what you are trying to avoid is having to configure all of
your NAS into the auth servers, then that is how proxy is meant to work.
>My authentication servers need to know nothing about the IP addresses of
>the NASes (i need to "hide" the NAS from the authentication server,
>using a proxy, and do all IP-based authorisation in the proxies). Is
>that doable with FreeRadius?
The authetication will know the NAS identifiers/ips as stated above. It
is a requirement of the RFC that these attributes are present.
I suppose the proxying server could re-write those to contain it's own
IP, I'm not certain that would be a violation of the RFC in letter. That
is not something the server does currently, so you'd have to patch it
to do that if that's really what you want.
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless! \ Director, Engineering
| @ @ | \ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\------------------------------------------------------
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
