(RADIATOR) Source IP on reply packet

Hugh Irvine hugh at open.com.au
Wed Feb 11 15:36:47 CST 2004 

Hello Jose -

I think your only option will be to run multiple instances of radiusd.

Radiator itself does not deal with routing the response packets - they 
are simply given to the OS for transmission.

regards

Hugh


On 12 Feb 2004, at 05:39, José Borges Ferreira wrote:

> Hi,
>
> I've recently set up a Radiator server on a RH Linux 9 Box running 
> Radiator 3.7.1 and a Web server. So far so good but i
> have a somehow complex network setup.
> I have multiple interfaces and recieve traffic from all of them. Since 
> i don't know from witch hosts i will be reaching  my server i 
> implemented source-based routing using iproute
>
> The setup per interface  is something like this:
>
> echo 200 int_admin >> /etc/iproute2/rt_tables
> ip route flush table int_admin
> ip route add default via 10.12.1.11 dev eth0.65 table int_admin
> ip rule add from 10.12.1.11 table int_admin
> ip route flush cache
>
>
> I've tested the web server and works fine.
> When i try the RADIUS it fails.
>
> After some debugging  i found that the major diference between them is 
> that web is TCP and RADIUS UDP (obvious).
> On the web server the source IP on the response packets on the 
> webserver is the same of the destination IP of the initial request. On 
> the Radiator the the source ip packet of the authentication-response 
> is the IP of the interface  matching a routing rule ( usually the 
> default gateway).
>
> The possible solutions are :
>
> * Binding a Radiator th every interface ( only possible by running an 
> extra radiusd process ?! )
> * Adding an static route for every radius client ( can cause 
> assimetric route and fail firewall state)
> * Adding similar code to the LocalAddress directive in AuthRADIUS to 
> force source IP of the the response packet.
>
> Any ideas ?!
>
>
> Best regards,
>
> José Borges Ferreira
>
>
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list