On Wed, 2002-05-22 at 07:40, Chris Parker wrote: > > proxy server acts as the middle-man. The remote server sees the request > coming from the proxy server. The only indication the remote server has > regarding the origin of the request is via the NAS-IP-Address or NAS- > Identifier. The source IP address of the packet as seen by the remote > server will be the > The source-ip of the packets they receive will be the ip of proxying > server. That source-ip is what is used to determine the shared-secret > to use. If what you are trying to avoid is having to configure all of > your NAS into the auth servers, then that is how proxy is meant to work.
Yes, this is what i'm trying to do: keep the configuration on the authentication servers simple (no NAS addresses), and do all the gory authorisation stuff with FreeRadius, in MySQL. Good point about the shared-secret too. There's only one more thing: my authentication Radius servers sit on top of a proprietary one-time-password application that has it's own mechanisms to control the authorisation. For each user, it has the so-called "pass-actions" fields, containing the NAS IP addresses that are acceptable for that user. It looks like i have to dig into the documentation and figure out whether the pass-actions are determined based on the source IP of the packets, or based on the NAS-IP-Address field. If the authentication is done based on the NAS-IP-Address, then i guess i'll configure the proxy to authenticate via PAM, and i'll install and configure the PAM authentication module. This way, i'm sure i'll be able to totally hide the NAS address, no matter what the RFC says. :-) -- Florin Andrei Democracy is three wolves and a sheep voting on what to have for dinner. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
