On Tue, Mar 01, 2005 at 12:52:52PM +1100, Mitchell, Michael J wrote: > > The information is in the PoD request.
> Kind of. From the NAS's perspecitive, the PoD only needs to contains the > Acct-Session-Id. However obviously in order to proxy a request we at > least need the NAS-IP-Address. I use this to map back to a "Realm" or a > NAS which will ultimately handle the PoD. > > To ensure that bad things don't happen, the PoD *should* be > >treated sort of like an Access-Accept, and the server should > >see where the packet is proxied to. IF the home server is > >where the PoD request came from, then it's a "real" PoD > >request, and is sent to the NAS. > >Otherwise, it's dropped. > I must admit, my solution is not that comprehensive, and I'm not sure if > it would even be possible. A PoD doesn't REQUIRE a User-Name attribute, > so it would be difficult in that instance to map a PoD back to an > appropriate home server for the specified session (NAS-IP-Address & > Acct-Session-Id). The only attributes that are guaranteed (in my case) > are NAS-IP-Address and Acct-Session-Id. > My "solution" met my needs at the time as I had very specific > requirements, and using freeRADIUS was the quickest way to a solution, > as freeRADIUS obviously already has all the proxy and RADIUS packet > handling logic, and is nice and modular, so its easy to add this stuff > quickly (even if its not the best solution). > I also haven't tried proxying directly to a NAS. Should be easy enough > to set this up in our test lab though. > Alan would be disgusted at my current butcher job ;-). However, I'll > review what I have done (it was several months ago now) and report back > as soon as I can (may take a few days though) - hopefully with something > a little more elegant than I have currently. I'm also thinking about multi-level proxies... For the setup I'm using, the NAS talks to a pool of RADIUS proxies, which talk to my RADIUS server, which may then (based on realm) proxy to _another_ RADIUS server. I can't talk directly to the NAS (or at least, I doubt I can) so I can generate PoD and send them to the proxy server pool attached to the NAS, but if the one I'm proxying to wants to PoD, then I need some kind of reverse-realm map so I can determine where the PoD has to go, as unlike an Access-Accept, there's no Access-Request structure sitting in memory describing where to reply to. In my case, the reverse map can key by either NAS-IP-Address or Realm... I look forward to whatever you come up with. ^_^ Maybe an extension of the clients.conf? Your NAS or PoD next hop should be in there already... ^_^ There's also _another_ NAS + proxy pool that proxies to me, but they don't do PoD. (They have a webpage, but I've not been game to set up a wget-of-death). -- Paul "TBBle" Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html