Kartik CDS wrote:
Thanks for the response Alan.
But can you please let me know whether it is mentioned in the radius rfc
that the client should validate the source address?
The wording may not be explicit, but aside from radius secrets being
bound to a server IP & port, the client-generated radius ID numbers are
bound to a server IP & port, and radius clients are *required* to ignore
reply packets with no outstanding request for that IP/port/ID tuple (see
RFC2865 sections 4.2. RFC5080 section 2.2.2 clarifies this.
You need to use a different load-balancing setup; having the server
reply from the VIP is fairly trivial in most cases. We do it. It's
usually a case of ordering the load balancer to not translate the
destination IP, binding an IP of $VIP/32 to the NIC and using the server
listen {} statement.
Thanks & Best Regards,
Kartik
On Feb 18, 2008 6:01 PM, Alan DeKok <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Kartik CDS wrote:
> Radius client sends access-request to the ip address VIP
> The cluster is responding with IP1 or IP2 instead of VIP as the
source
> address, should the radius client allow such a response ?
d
No. You need to use "udpfromto" in the server. See the "configure"
flags.
> I mean to say whether the radius client should validate the source
> address ?? [ I couldnt find anything related to this in the RFC,
kindly
> help]
Yes, it needs to validate the source address.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
------------------------------------------------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
