Tariq Rashid <[EMAIL PROTECTED]> wrote:
> When a radius proxy, such as an appropriately configured freeradius ,
> forwards (proxies) a radius request to a target, the target sees a radius
> request from the proxy .. it sees its IP address, the source port, and the
> UID of the radius request.

  UID?

> now, when the radius target forms a reply/responce, does it address it to
> that source port on the proxy server?

  Yes.  From the point of view of the home server, the proxy is just
another NAS.

> if i run multiple proxies on a server, they will get the correct replies if
> 
>       1. they send the proxied requests to the targets from different src
> udp ports

  RADIUS replies go TO the port that the request was sent FROM.
Proxies don't change this.

>       2. if the targets actually respond to these src udp ports, and not a
> default like 1645

  That would be a violation of the RFC's, and wouldn't work with any NAS.

> in people's experience, is the above a reasonable assumption or are there
> common cases of radius target servers (not determined, and heterogeneous)
> which do not behave correctly/usefully.

  If the home server behaves badly when requests are proxied to it, it
will behave badly when a NAS sends packets to it.

  Proxies are just a NAS.

> (there is a secondary issue that the UID for radius is 8 bits long which
> means that in a high proxy volume environment a proxy server can't
> theoretically have more than 256 pending requests ... how is this issue
> overcome in practice?

  Read the RFC's.  Multiple source ports.

  FreeRADIUS allows 8k *active* requests to any home server.  That's
more than enough for major deployments.

> i know that not all devices and target radius servers implement the
> extended id which effectively expands the range from 256)

  Extended ID?  What's that?

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to