"mimi" <[EMAIL PROTECTED]> wrote: > In freeradius-0.2, the state attribute : > info = challenge + time > state = info + hmac(info, key) > > If we use multi-radius servers and NAS uses round-robin ? > NAS get the challenge from one server and send the response to another.
Then it doesn't work. > Does freeradius can extract the previous challenge value from the > challenge-response packet ? It can. > How about the state attribute including the challenge value which > NAS(exactly, not NAS but user terminal) use to encrypt password ? > This will be crash with other algorithm(TLS etc.) ? No. But it's extra work for the server. The better solution to the problem is to fix the server so that when it's proxying, it treats Access-Challenge responses from the home server special. That is, an Access-Challenge from a home server means that (somehow) the proxy decides to forward relevant packets from the client to that specific home server. Hmm... this may not be difficult. We'd need yet another data structure/list, containing NAS IP, State, and realm information. Access-Request's with a State attribute would be matched against that list, and forwarded to the given realm. Maybe in a later version... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
