Hi Laurent, did you check what said RADIATOR when receive RADIUS request package , first few line with Trace 5 ?
Regards, Dubravko Penezic On 3/8/19 5:00 PM, Laurent Duru wrote: > Hi All, > > > > We faced an issue with wrong authenticator on answers sent by Radiator. > > In our design, client source IP is NATed, here is an example of > radius.cfg client configuration for discussion : > > > > <Client REAL_CLIENT_IP > > > Secret azerty > > Identifier CLIENT > > </Client> > > > > <Client DEFAULT> > > Secret qwerty > > Identifier Default > > </Client> > > > > REAL_CLIENT_IP is NATed to NAT_CLIENT_IP > > > > When receiving Access Request with authenticator from NAT_CLIENT_IP, our > radiator accepts the request and send an access-accept. That means the > authenticator check is OK and that the usage of the secret “azerty is > OK. I think radiator is checking client on NAS-IP-ADDRESS and not IP > header address. > > > > When creating authenticator for the answer which IP is used ? and then > is it “azerty” or “qwerty” that is used as secret ? > > To have a working config we had to add : > > <Client NAT_CLIENT_IP> > > Secret azerty > > Identifier CLIENT > > </Client> > > > > Seems to mean radiator is using IP header address to calculate the > answer and not NAS-IP-ADDRESS. > > > > Does anybody faced the same and can confirm ? > > > > Have a nice week-end, > > > > Regards, > > > > *Laurent DURU* > > *Lugos*, Expertise Réseaux, Métrologie & Sécurité > > https://www.lugos.fr > > M: +33 6 28 09 88 94 > > [email protected] <mailto:[email protected]> > > Adoptez l’éco-attitude. N’imprimez ce mail que si c’est vraiment > nécessaire. > > > > > _______________________________________________ > radiator mailing list > [email protected] > https://lists.open.com.au/mailman/listinfo/radiator > -- Dubravko Penezic Sektor za posrednicke sustave i podatkovne usluge Sveuciliste u Zagrebu, Sveucilisni racunski centar (Srce), www.srce.unizg.hr [email protected], tel: +385 1 616 5555, fax: +385 1 616 5559 _______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
