(RADIATOR) Disconnecting users via RID - Originating port issue

Paul paul at australis.com.au
Sun Aug 10 21:04:57 CDT 2003


Currently I'm disconnecting users via the radius disconnect feature  (RID) using the Radpwtst program. The carrier uses a strict firewall and the command I used was 

 

perl radpwtst -noacct -noauth -acct_port 1700 -auth_port 1700 -secret asecret -code Disconnect-Request NAS-IP-Address=111.111.111.111 Acct-Session-Id=111111

 

Because of the carriers firewall I couldn't find a way to use Radpwtst to send it directly since it failed the firewall due to the originating port not being able to be set to 1700. My solution which did work was to forward it via our own radiator server using a 

<AuthBy RADIUS> ......

                # AuthBy RADIUS forwards all requests to a remote radius server

                # who is expected to reply to us. When we received a reply, we

                # will send it back to the original requester

 

and I use ......

                                # You can force an originating port number in order

                                # to permit strict firewalling rules. This port

                                # number will be used to send packets forwarded

                                # by this AuthBy RADIUS

                                OutPort 1700         

 

Doing it this way allowed communication to their server because the originating port was now set to 1700. It satisfies the fire wall. This was disconnecting user nicely and receiving all accounting records. The only odd thing was that we always received an Acked then a Nacked message from their server to our proxy radius server. The 2nd Message would state "NAcked - due to proxing". Thankfully it still worked. at least for a few weeks. Now it fails with the 1st message being a NAcked and second message "NAcked - Due to proxing". The user stays online.

 

My question finally :) is whether it is possible to get Radpwtst to force an originating port number like radiators <AuthBy RADIUS> "OutPort" variable does. That way proxying wouldn't be necessary. Both programs,. Radiator and Radpwtst are run from the same machine. If this isn't possible does anyone know of a solution or work around to get RID working in this situation. Any help would be much appreciated.



Thanks, 

Paul


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20030811/b512371c/attachment.html>


More information about the radiator mailing list