(RADIATOR) Disconnecting users via RID - Originating port issue

Hugh Irvine hugh at open.com.au
Mon Aug 11 01:05:54 CDT 2003 

Hello Paul -

Thanks for the suggestion - there is a new version of "radpwtst" 
available on the web site for downloading.

You can now use "-outport" and "-bind_address" options.

regards

Hugh


On Monday, Aug 11, 2003, at 12:04 Australia/Melbourne, Paul wrote:

> Currently I’m disconnecting users via the radius disconnect feature  
> (RID) using the Radpwtst program. The carrier uses a strict firewall 
> and the command I used was
>
>  
>
> perl radpwtst -noacct -noauth -acct_port 1700 -auth_port 1700 -secret 
> asecret -code Disconnect-Request NAS-IP-Address=111.111.111.111 
> Acct-Session-Id=111111
>
>  
>
> Because of the carriers firewall I couldn’t find a way to use Radpwtst 
> to send it directly since it failed the firewall due to the 
> originating port not being able to be set to 1700. My solution which 
> did work was to forward it via our own radiator server using a
>
> <AuthBy RADIUS> ......
>
>                # AuthBy RADIUS forwards all requests to a remote 
> radius server
>
>                # who is expected to reply to us. When we received a 
> reply, we
>
>                # will send it back to the original requester
>
>  
>
> and I use ......
>
>                                # You can force an originating port 
> number in order
>
>                                # to permit strict firewalling rules. 
> This port
>
>                                # number will be used to send packets 
> forwarded
>
>                                # by this AuthBy RADIUS
>
>                                OutPort 1700        
>
>  
>
> Doing it this way allowed communication to their server because the 
> originating port was now set to 1700. It satisfies the fire wall. This 
> was disconnecting user nicely and receiving all accounting records. 
> The only odd thing was that we always received an Acked then a Nacked 
> message from their server to our proxy radius server. The 2nd Message 
> would state "NAcked - due to proxing". Thankfully it still worked…at 
> least for a few weeks. Now it fails with the 1st message being a 
> NAcked and second message "NAcked - Due to proxing". The user stays 
> online.
>
>  
>
> My question finally :) is whether it is possible to get Radpwtst to 
> force an originating port number like radiators <AuthBy RADIUS> 
> "OutPort" variable does. That way proxying wouldn’t be necessary. Both 
> programs,. Radiator and Radpwtst are run from the same machine. If 
> this isn’t possible does anyone know of a solution or work around to 
> get RID working in this situation. Any help would be much appreciated.
>
>  
>
> Thanks,
>
> Paul
>
>  
>  
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 5987 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20030811/56121e96/attachment.bin>

More information about the radiator mailing list