(RADIATOR) How to prevent loops when using RadSec
Hugh Irvine
hugh at open.com.au
Thu Jun 19 02:28:09 CDT 2008
Hello Jan -
Could I ask then what you define as a loop? And conversely, what is
"normal" behaviour?
In your case I would have thought that only requests for
"your_realm.cz" would be accepted from RADSEC?
Ie.
<ServerRADSEC>
Identfier IncomingRADSEC
.....
</ServerRADSEC>
<Handler Client-Identifier = IncomingRADSEC, Realm = /^your_realm.cz$/
io>
# do whatever to authenticate
.....
</Handler>
<Handler Client-Identifier = IncomingRADSEC>
# if its not for "your_realm.cz" reject it
<AuthBy INTERNAL>
DefaultResult REJECT
</AuthBy>
</Handler>
.....
I always find it preferable to configure explicitly what I will
process, then catch everything else and deal with it separately
(usually reject).
hope that helps
regards
Hugh
On 19 Jun 2008, at 17:11, Jan Tomasek wrote:
> Hi Hugh,
>
>
> Hugh Irvine wrote:
>> Hello Jan -
>> You can do the same thing with an Identifier in the ServerRADSEC
>> clause.
>> See section 5.81.24 in the Radiator 4.2 reference manual ("doc/
>> ref.pdf").
>
> This wont help me. I have only the one ServerRADSEC clause, and
> many clients connecting to this one server.
>
> Any other idea?
>
> Thanks
> --
> -----------------------
> Jan Tomasek aka Semik
> http://www.tomasek.cz/
>
>
>> On 18 Jun 2008, at 20:08, Jan Tomasek wrote:
>>> Hi,
>>>
>>> I'm using following configuration to prevent loops when using
>>> RADIUS protocol:
>>>
>>> <Client 1.1.1.1>
>>> Secret mysecret
>>> Identifier client1111
>>> </Client>
>>>
>>> <Handler Client-Identifier=/^(?!client1111$)/o, Realm=/^realm.cz$/
>>> io>
>>> <AuthBy RADIUS>
>>> Host 1.1.1.1
>>> ...
>>>
>>> How can I do equivalent when using RadSec?
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list