Hello Andrew -
On Tue, 26 Sep 2000, Andrew Pollock wrote:
> > -----Original Message-----
> > From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, September 25, 2000 12:17 PM
> > To: Andrew Pollock; [EMAIL PROTECTED]
> > Subject: Re: (RADIATOR) Radiator proxying and NAT
> >
> >
> >
> > Hello Andrew -
> >
> > On Mon, 25 Sep 2000, Andrew Pollock wrote:
> > > Hi,
> > >
> > > I'm currently troubleshooting a curious problem with Radiator
> > proxying to a
> > > second Radiator server that is behind a firewall and is having address
> > > translation performed on it.
> > >
> > > The Radiator server doing the proxying is on the Internet, and
> > the Radiator
> > > server being proxied to has a private IP address and a fixed
> > public address
> > > is translated to that private IP address.
> > >
> > > Translation is occuring some of the time, but not consistently, and it's
> > > naturally causing all sorts of problems. The problem is going
> > have to be the
> > > firewall, but I'm wondering if anything Radiator is doing isn't helping
> > > either. One thing I noticed is Radiator is proxying on the
> > packets with a
> > > high source port (not 1645). I'm pretty sure that previously I've seen
> > > RADIUS servers do all the talking in all directions on port
> > 1645, is this
> > > the case?
> > >
> >
> > As far as I know, radius clients (which is what Radiator is when
> > acting as a
> > proxy) use high source port numbers when sending requests. The
> > only time we
> > have seen something different (ie. broken) is with some versions
> > of GRIC on NT,
> > which don't reply to the source port as sent in the request.
> >
> > Someone else on the list may have other comments.
>
> Hi again,
>
> I've done a little bit more research and noticed the following:
>
> NAS (outside firewall) talking to RADIUS (Radiator) server (inside firewall)
> The NAS will change it's source port (the high port) with each new request.
> Retransmitted requests all use the same source port as the original request.
> Everything works fine with the firewall and the NATing.
>
> Radiator server (outside firewall) talking to Radiator server (inside
> firewall)
> The Radiator server outside the firewall changes it's source port every
> minute or so. Multiple different requests are sent to the other Radiator
> server on the same source port. The first request is NATed correctly, the
> subsequent requests are not. Once the Radiator server outside the firewall
> changes it's source port again, that first request is also NATed
> successfully, the rest are not.
>
> How hard is it going to be to change Radiator to use a new source port for
> each request that it proxies?
>
Your description is most curious, as Radiator opens a socket and then keeps
using it forever. How are you starting radiusd? And what hardware/software
platform are you running on?
In any case, it sounds like you should fix the firewall.
regards
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
