Shawn Southern(shawn.south...@entegrus.com) on 2018.10.19 18:01:41 +0000:
> So apparently this works... I was expecting relayd to listen on those ports,
> but I'm guessing that since it hooks through pf, that's not necessary.
It only listens if you use "relay". If you use "redirect", it uses pf tables
with rdr rules.
You should see something like this:
# pfctl -sA
relayd
# pfctl -sA -a relayd/*
relayd/radius
# pfctl -sr -a relayd/radius
pass in quick on rdomain 0 inet proto tcp from any to xxx.xxx.xxx.xxx port =
yyyy flags S/SA keep state (tcp.established 600) rdr-to
<radius> port yyyy round-robin
# pfctl -a relayd/radius -T show -t radius
a.b.c.d
a.b.c.e
Please read the section "REDIRECTIONS" in relayd.conf(5).
I admit the line "Specify an address and a port to listen on. pf(4) will
redirect..." could be rewritten.
/Benno
> -----Original Message-----
> From: owner-m...@openbsd.org <owner-m...@openbsd.org> On Behalf Of Shawn
> Southern
> Sent: October 19, 2018 1:00 PM
> To: misc@openbsd.org
> Subject: relayd and radius
>
> We have a lot of devices that use RADIUS, but they do not allow us to specify
> a 2nd RADIUS server. Since we use OpenBSD w/ CARP as our router/firewall, we
> want to use relayd to provide some redundancy for the RADIUS servers.
>
> There are two internal subnets - 10.10.10.0/24, which has our servers, and
> 10.10.11.0/24 that has the devices using RADIUS to authenticate clients.
> 10.10.10.1 and 10.10.11.1 are both carp interfaces.
>
> When starting relayd, nothing appears to be listening on the RADIUS ports.
> Is this even possible with relayd? Is my configuration just horribly wrong?
>
> relayd.conf:
> radius1 = "10.10.10.5"
> radius2 = "10.10.10.6"
> radius_listen = "10.10.11.1"
>
> table <radiushost1> { $radius1 }
> table <radiushost2> { $radius2 }
>
> redirect radius {
> listen on $radius_listen udp port 1812:1813
> forward to <radiushost1> check icmp
> forward to <radiushost2> check icmp
> }
>
> Thanks in advance for any help!
>
--
