RE: How to accept RADIUS traffic on multiple interfaces?

Wed, 14 Aug 2013 13:38:57 -0700 

One other thing with multiple interfaces:  RHEL 6 comes with some anti-spoofing 
features in the kernel enabled by default.  I'm afraid I forget exactly what 
they are, but the idea is this:  If the kernel gets a packet from HostA on 
eth1, but the routing table says that the return path to HostA is via eth0, the 
kernel will drop the packet.

If you have this case, you have two choices:
        1)  Make sure that requests come IN the same interface that will send 
the replies.
        2)  Turn off the anti-spoofing features in the kernel.

There's also the third option in which you create separate routing tables for 
each interface (plus the "master" routing table for sessions initiated 
outbound).  It's a pretty big hammer, but has other advantages for multi-homed 
systems.  Write back to me off-list if you want to go that route (pardon the 
pun).

--J

-----Original Message-----
From: freeradius-users-bounces+mcnuttj=missouri....@lists.freeradius.org 
[mailto:freeradius-users-bounces+mcnuttj=missouri....@lists.freeradius.org] On 
Behalf Of Matteo Vocale
Sent: Wednesday, August 14, 2013 2:32 PM
To: FreeRadius users mailing list
Subject: Re: How to accept RADIUS traffic on multiple interfaces?

Before running radius in debug mode, try iptables -F with root privileges, it 
disables iptables default rules

Phil Mayers <[email protected]> ha scritto:

>On 14/08/13 15:07, Kurt Hillig wrote:
>
>> But radiusd isn't seeing any of the inbound RADIUS traffic on eth1 - 
>> tcpdump shows it coming in, but "radiusd -X" shows no indication of 
>> this traffic (but is reporting all of the traffic on eth0).
>
>If "radiusd -X" isn't reporting *anything*, then it's not reaching 
>FreeRADIUS, which means some part of the network stack is dropping it.
>
>If you're sure your iptables are correct, google "linux log martians" 
>and "linux rp filter". RHEL6 has different defaults to previous RHEL 
>versions in this regard.
>-
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to