Re: relayd and radius
On 19/10/18 21:01, Shawn Southern wrote: > So apparently this works... I was expecting relayd to listen on those ports, > but I'm guessing that since it hooks through pf, that's not necessary. > > -Original Message- > From: owner-m...@openbsd.org On Behalf Of Shawn > Southern > Sent: October 19, 2018 1:00 PM > To: misc@openbsd.org > Subject: relayd and radius > > We have a lot of devices that use RADIUS, but they do not allow us to specify > a 2nd RADIUS server. Since we use OpenBSD w/ CARP as our router/firewall, we > want to use relayd to provide some redundancy for the RADIUS servers. > > There are two internal subnets - 10.10.10.0/24, which has our servers, and > 10.10.11.0/24 that has the devices using RADIUS to authenticate clients. > 10.10.10.1 and 10.10.11.1 are both carp interfaces. > > When starting relayd, nothing appears to be listening on the RADIUS ports. > Is this even possible with relayd? Is my configuration just horribly wrong? > > relayd.conf: > radius1 = "10.10.10.5" > radius2 = "10.10.10.6" > radius_listen = "10.10.11.1" > > table { $radius1 } > table { $radius2 } > > redirect radius { > listen on $radius_listen udp port 1812:1813 > forward to check icmp > forward to check icmp > } > > Thanks in advance for any help! > Yes, relayd adds rdr-to rules in pf. No port listening. You should check your configuration I believe it should be table { $radius1, $radius2 } and then on redirect: forward to check icmp G
Re: relayd and radius
Shawn Southern(shawn.south...@entegrus.com) on 2018.10.19 18:01:41 +: > So apparently this works... I was expecting relayd to listen on those ports, > but I'm guessing that since it hooks through pf, that's not necessary. It only listens if you use "relay". If you use "redirect", it uses pf tables with rdr rules. You should see something like this: # pfctl -sA relayd # pfctl -sA -a relayd/* relayd/radius # pfctl -sr -a relayd/radius pass in quick on rdomain 0 inet proto tcp from any to xxx.xxx.xxx.xxx port = flags S/SA keep state (tcp.established 600) rdr-to port round-robin # pfctl -a relayd/radius -T show -t radius a.b.c.d a.b.c.e Please read the section "REDIRECTIONS" in relayd.conf(5). I admit the line "Specify an address and a port to listen on. pf(4) will redirect..." could be rewritten. /Benno > -Original Message- > From: owner-m...@openbsd.org On Behalf Of Shawn > Southern > Sent: October 19, 2018 1:00 PM > To: misc@openbsd.org > Subject: relayd and radius > > We have a lot of devices that use RADIUS, but they do not allow us to specify > a 2nd RADIUS server. Since we use OpenBSD w/ CARP as our router/firewall, we > want to use relayd to provide some redundancy for the RADIUS servers. > > There are two internal subnets - 10.10.10.0/24, which has our servers, and > 10.10.11.0/24 that has the devices using RADIUS to authenticate clients. > 10.10.10.1 and 10.10.11.1 are both carp interfaces. > > When starting relayd, nothing appears to be listening on the RADIUS ports. > Is this even possible with relayd? Is my configuration just horribly wrong? > > relayd.conf: > radius1 = "10.10.10.5" > radius2 = "10.10.10.6" > radius_listen = "10.10.11.1" > > table { $radius1 } > table { $radius2 } > > redirect radius { > listen on $radius_listen udp port 1812:1813 > forward to check icmp > forward to check icmp > } > > Thanks in advance for any help! > --
Re: relayd and radius
So apparently this works... I was expecting relayd to listen on those ports, but I'm guessing that since it hooks through pf, that's not necessary. -Original Message- From: owner-m...@openbsd.org On Behalf Of Shawn Southern Sent: October 19, 2018 1:00 PM To: misc@openbsd.org Subject: relayd and radius We have a lot of devices that use RADIUS, but they do not allow us to specify a 2nd RADIUS server. Since we use OpenBSD w/ CARP as our router/firewall, we want to use relayd to provide some redundancy for the RADIUS servers. There are two internal subnets - 10.10.10.0/24, which has our servers, and 10.10.11.0/24 that has the devices using RADIUS to authenticate clients. 10.10.10.1 and 10.10.11.1 are both carp interfaces. When starting relayd, nothing appears to be listening on the RADIUS ports. Is this even possible with relayd? Is my configuration just horribly wrong? relayd.conf: radius1 = "10.10.10.5" radius2 = "10.10.10.6" radius_listen = "10.10.11.1" table { $radius1 } table { $radius2 } redirect radius { listen on $radius_listen udp port 1812:1813 forward to check icmp forward to check icmp } Thanks in advance for any help!
relayd and radius
We have a lot of devices that use RADIUS, but they do not allow us to specify a 2nd RADIUS server. Since we use OpenBSD w/ CARP as our router/firewall, we want to use relayd to provide some redundancy for the RADIUS servers. There are two internal subnets - 10.10.10.0/24, which has our servers, and 10.10.11.0/24 that has the devices using RADIUS to authenticate clients. 10.10.10.1 and 10.10.11.1 are both carp interfaces. When starting relayd, nothing appears to be listening on the RADIUS ports. Is this even possible with relayd? Is my configuration just horribly wrong? relayd.conf: radius1 = "10.10.10.5" radius2 = "10.10.10.6" radius_listen = "10.10.11.1" table { $radius1 } table { $radius2 } redirect radius { listen on $radius_listen udp port 1812:1813 forward to check icmp forward to check icmp } Thanks in advance for any help!