(RADIATOR) How to prevent loops when using RadSec
Jan Tomasek
jan at tomasek.cz
Thu Jun 19 02:43:03 CDT 2008
Hi,
Hugh Irvine wrote:
> Could I ask then what you define as a loop? And conversely, what is
> "normal" behaviour?
Loop is when my server thinks that "realm1.cz" belongs to the server
1.1.1.1 and the server 1.1.1.1 is proxying it back to me.
This can cause DoS on my server and want to prevent it. I'm using
Radiator as NREN level proxy in eduroam.cz. In past this DoS happen with
RADIUS, now it happen with RadSec.
I use this config for RADIUS, I bit enhanced it, hopefully it will make
it more clear.
<Client 1.1.1.1>
Secret mysecret
Identifier client1111
</Client>
<Client 2.2.2.2>
Secret mysecret
Identifier client2222
</Client>
<Handler Client-Identifier=/^(?!client1111$)/o, Realm=/^realm1.cz$/io>
# This say: Send to 1.1.1.1 every packet with "realm1.cz" except of
# those received from server 1.1.1.1
<AuthBy RADIUS>
Host 1.1.1.1
...
</Handler>
<Handler Client-Identifier=/^(?!client2222$)/o, Realm=/^realm2.cz$/io>
<AuthBy RADIUS>
Host 2.2.2.2
...
</Handler>
This prevents servers 1.1.1.1 and 2.2.2.2 from sending realms they are
responsible for.
But with RadSec there is no Client definition. There is only ONE
<ServerRADSEC> so I can't use Identifier in same way
> In your case I would have thought that only requests for
> "your_realm.cz" would be accepted from RADSEC?
No I need to accept any packet in <ServerRADSEC> and later make sure I
not forwarding posibly looped packets.
Best regards
--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list