Hi All,
We faced an issue with wrong authenticator on answers sent by Radiator.
In our design, client source IP is NATed, here is an example of radius.cfg
client configuration for discussion :
<Client REAL_CLIENT_IP >
Secret azerty
Identifier CLIENT
</Client>
<Client DEFAULT>
Secret qwerty
Identifier Default
</Client>
REAL_CLIENT_IP is NATed to NAT_CLIENT_IP
When receiving Access Request with authenticator from NAT_CLIENT_IP, our
radiator accepts the request and send an access-accept. That means the
authenticator check is OK and that the usage of the secret “azerty is OK. I
think radiator is checking client on NAS-IP-ADDRESS and not IP header address.
When creating authenticator for the answer which IP is used ? and then is it
“azerty” or “qwerty” that is used as secret ?
To have a working config we had to add :
<Client NAT_CLIENT_IP>
Secret azerty
Identifier CLIENT
</Client>
Seems to mean radiator is using IP header address to calculate the answer and
not NAS-IP-ADDRESS.
Does anybody faced the same and can confirm ?
Have a nice week-end,
Regards,
Laurent DURU
Lugos, Expertise Réseaux, Métrologie & Sécurité
https://www.lugos.fr
M: +33 6 28 09 88 94
[email protected]<mailto:[email protected]>
Adoptez l’éco-attitude. N’imprimez ce mail que si c’est vraiment nécessaire.
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
