subject:"relayd and radius"

Re: relayd and radius

2018-10-22 Thread Kapetanakis Giannis

On 19/10/18 21:01, Shawn Southern wrote:
> So apparently this works... I was expecting relayd to listen on those ports, 
> but I'm guessing that since it hooks through pf, that's not necessary.
> 
> -Original Message-
> From: owner-m...@openbsd.org  On Behalf Of Shawn 
> Southern
> Sent: October 19, 2018 1:00 PM
> To: misc@openbsd.org
> Subject: relayd and radius
> 
> We have a lot of devices that use RADIUS, but they do not allow us to specify 
> a 2nd RADIUS server.  Since we use OpenBSD w/ CARP as our router/firewall, we 
> want to use relayd to provide some redundancy for the RADIUS servers.
> 
> There are two internal subnets - 10.10.10.0/24, which has our servers, and 
> 10.10.11.0/24 that has the devices using RADIUS to authenticate clients.  
> 10.10.10.1 and 10.10.11.1 are both carp interfaces.
> 
> When starting relayd, nothing appears to be listening on the RADIUS ports.  
> Is this even possible with relayd?  Is my configuration just horribly wrong?
> 
> relayd.conf:
> radius1 = "10.10.10.5"
> radius2 = "10.10.10.6"
> radius_listen = "10.10.11.1"
> 
> table  { $radius1 }
> table  { $radius2 }
> 
> redirect radius {
> listen on $radius_listen udp port 1812:1813
> forward to  check icmp
> forward to  check icmp
> }
> 
> Thanks in advance for any help!
> 


Yes, relayd adds rdr-to rules in pf. No port listening.

You should check your configuration 

I believe it should be

table  { $radius1, $radius2 }

and then on redirect: forward to  check icmp

G

Re: relayd and radius

2018-10-21 Thread Sebastian Benoit

Shawn Southern(shawn.south...@entegrus.com) on 2018.10.19 18:01:41 +:
> So apparently this works... I was expecting relayd to listen on those ports, 
> but I'm guessing that since it hooks through pf, that's not necessary.

It only listens if you use "relay". If you use "redirect", it uses pf tables
with rdr rules.

You should see something like this:

# pfctl -sA
  relayd

# pfctl -sA -a relayd/*
  relayd/radius

# pfctl -sr -a relayd/radius
pass in quick on rdomain 0 inet proto tcp from any to xxx.xxx.xxx.xxx port =
 flags S/SA keep state (tcp.established 600) rdr-to
 port yyyy round-robin

# pfctl -a relayd/radius -T show -t radius
a.b.c.d
a.b.c.e


Please read the section "REDIRECTIONS" in relayd.conf(5).

I admit the line "Specify an address and a port to listen on.  pf(4) will
redirect..." could be rewritten.

/Benno
 
> -Original Message-
> From: owner-m...@openbsd.org  On Behalf Of Shawn 
> Southern
> Sent: October 19, 2018 1:00 PM
> To: misc@openbsd.org
> Subject: relayd and radius
> 
> We have a lot of devices that use RADIUS, but they do not allow us to specify 
> a 2nd RADIUS server.  Since we use OpenBSD w/ CARP as our router/firewall, we 
> want to use relayd to provide some redundancy for the RADIUS servers.
> 
> There are two internal subnets - 10.10.10.0/24, which has our servers, and 
> 10.10.11.0/24 that has the devices using RADIUS to authenticate clients.  
> 10.10.10.1 and 10.10.11.1 are both carp interfaces.
> 
> When starting relayd, nothing appears to be listening on the RADIUS ports.  
> Is this even possible with relayd?  Is my configuration just horribly wrong?
> 
> relayd.conf:
> radius1 = "10.10.10.5"
> radius2 = "10.10.10.6"
> radius_listen = "10.10.11.1"
> 
> table  { $radius1 }
> table  { $radius2 }
> 
> redirect radius {
> listen on $radius_listen udp port 1812:1813
> forward to  check icmp
> forward to  check icmp
> }
> 
> Thanks in advance for any help!
> 

--

Re: relayd and radius

2018-10-19 Thread Shawn Southern

So apparently this works... I was expecting relayd to listen on those ports, 
but I'm guessing that since it hooks through pf, that's not necessary.

-Original Message-
From: owner-m...@openbsd.org  On Behalf Of Shawn 
Southern
Sent: October 19, 2018 1:00 PM
To: misc@openbsd.org
Subject: relayd and radius

We have a lot of devices that use RADIUS, but they do not allow us to specify a 
2nd RADIUS server.  Since we use OpenBSD w/ CARP as our router/firewall, we 
want to use relayd to provide some redundancy for the RADIUS servers.

There are two internal subnets - 10.10.10.0/24, which has our servers, and 
10.10.11.0/24 that has the devices using RADIUS to authenticate clients.  
10.10.10.1 and 10.10.11.1 are both carp interfaces.

When starting relayd, nothing appears to be listening on the RADIUS ports.  Is 
this even possible with relayd?  Is my configuration just horribly wrong?

relayd.conf:
radius1 = "10.10.10.5"
radius2 = "10.10.10.6"
radius_listen = "10.10.11.1"

table  { $radius1 }
table  { $radius2 }

redirect radius {
listen on $radius_listen udp port 1812:1813
forward to  check icmp
forward to  check icmp
}

Thanks in advance for any help!

relayd and radius

2018-10-19 Thread Shawn Southern

We have a lot of devices that use RADIUS, but they do not allow us to specify a 
2nd RADIUS server.  Since we use OpenBSD w/ CARP as our router/firewall, we 
want to use relayd to provide some redundancy for the RADIUS servers.

There are two internal subnets - 10.10.10.0/24, which has our servers, and 
10.10.11.0/24 that has the devices using RADIUS to authenticate clients.  
10.10.10.1 and 10.10.11.1 are both carp interfaces.

When starting relayd, nothing appears to be listening on the RADIUS ports.  Is 
this even possible with relayd?  Is my configuration just horribly wrong?

relayd.conf:
radius1 = "10.10.10.5"
radius2 = "10.10.10.6"
radius_listen = "10.10.11.1"

table  { $radius1 }
table  { $radius2 }

redirect radius {
listen on $radius_listen udp port 1812:1813
forward to  check icmp
forward to  check icmp
}

Thanks in advance for any help!

Re: relayd and radius

Re: relayd and radius

Re: relayd and radius

relayd and radius

4 matches

Site Navigation

Mail list logo

Footer information