On 19/10/18 21:01, Shawn Southern wrote:
> So apparently this works... I was expecting relayd to listen on those ports,
> but I'm guessing that since it hooks through pf, that's not necessary.
>
> -----Original Message-----
> From: owner-m...@openbsd.org <owner-m...@openbsd.org> On Behalf Of Shawn
> Southern
> Sent: October 19, 2018 1:00 PM
> To: misc@openbsd.org
> Subject: relayd and radius
>
> We have a lot of devices that use RADIUS, but they do not allow us to specify
> a 2nd RADIUS server. Since we use OpenBSD w/ CARP as our router/firewall, we
> want to use relayd to provide some redundancy for the RADIUS servers.
>
> There are two internal subnets - 10.10.10.0/24, which has our servers, and
> 10.10.11.0/24 that has the devices using RADIUS to authenticate clients.
> 10.10.10.1 and 10.10.11.1 are both carp interfaces.
>
> When starting relayd, nothing appears to be listening on the RADIUS ports.
> Is this even possible with relayd? Is my configuration just horribly wrong?
>
> relayd.conf:
> radius1 = "10.10.10.5"
> radius2 = "10.10.10.6"
> radius_listen = "10.10.11.1"
>
> table <radiushost1> { $radius1 }
> table <radiushost2> { $radius2 }
>
> redirect radius {
> listen on $radius_listen udp port 1812:1813
> forward to <radiushost1> check icmp
> forward to <radiushost2> check icmp
> }
>
> Thanks in advance for any help!
>
Yes, relayd adds rdr-to rules in pf. No port listening.
You should check your configuration
I believe it should be
table <radius> { $radius1, $radius2 }
and then on redirect: forward to <radius> check icmp
G
