If the radius server is multihomed you may get responses back from another ip interface besides the one you sent the request to. No I do not like the fact that I have a multi homed radius server, but necessity can be very evil at times.
I don't think it would be fair to the vendor or being a good internet citizen to post this info. Ted On Thu, 2004-06-24 at 20:17 -0400, Gary McKinney wrote: > Hi Ted, > > "Why" would the Access-Accept packet NOT come from the same IP (radius > server) the request was sent to originally??? To do otherwise would open up > the NAS or AP to spoofing attacks... > > What vendors are you referring to in terms of accepting Access-Accept > packets from an IP other than the original IP the request was sent to (just > to make sure I don't use their equipment [grin])??? Are you confusing IP > (Internet Address) with the port number of the communications on the IP > address between the NAS or AP and the Radius Server???? > > gm... > > ----- Original Message ----- > From: "Ted Kaczmarek" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, June 24, 2004 1:59 PM > Subject: Access-Accept source ip > > > > I recently noticed that Cisco rejects Access-Accept unless they > > originate from the same IP that auth was requested from. Another vendor > > will accept them from any ip no matter who they were originally sent to. > > > > Didn't find any mention in the RFC 2865 about the ip source of an accept > > packet. > > > > > > Now to me it seems like rejecting the packets makes more sense when they > > are not being sourced from the same IP address that the original request > > was destined to. > > > > > > Any thought on this? > > > > Ted > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > --- > > [This E-mail scanned for viruses by Declude Ant-Virus Scanner] > > > > > > --- > [This E-mail scanned for viruses by Declude Ant-Virus Scanner] > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
