(RADIATOR) How to prevent loops when using RadSec

Jan Tomasek jan at tomasek.cz
Thu Jun 19 02:43:03 CDT 2008


Hi,

Hugh Irvine wrote:
> Could I ask then what you define as a loop? And conversely, what is 
> "normal" behaviour?

Loop is when my server thinks that "realm1.cz" belongs to the server 
1.1.1.1 and the server 1.1.1.1 is proxying it back to me.

This can cause DoS on my server and want to prevent it. I'm using 
Radiator as NREN level proxy in eduroam.cz. In past this DoS happen with 
RADIUS, now it happen with RadSec.

I use this config for RADIUS, I bit enhanced it, hopefully it will make 
it more clear.

<Client 1.1.1.1>
   Secret    mysecret
   Identifier    client1111
</Client>

<Client 2.2.2.2>
   Secret    mysecret
   Identifier    client2222
</Client>

<Handler Client-Identifier=/^(?!client1111$)/o, Realm=/^realm1.cz$/io>
# This say: Send to 1.1.1.1 every packet with "realm1.cz" except of
# those received from server 1.1.1.1
   <AuthBy RADIUS>
     Host        1.1.1.1
   ...
</Handler>

<Handler Client-Identifier=/^(?!client2222$)/o, Realm=/^realm2.cz$/io>
   <AuthBy RADIUS>
     Host        2.2.2.2
   ...
</Handler>

This prevents servers 1.1.1.1 and 2.2.2.2 from sending realms they are 
responsible for.

But with RadSec there is no Client definition. There is only ONE 
<ServerRADSEC>  so I can't use Identifier in same way

 > In your case I would have thought that only requests for
 > "your_realm.cz" would be accepted from RADSEC?

No I need to accept any packet in <ServerRADSEC> and later make sure I 
not forwarding posibly looped packets.

Best regards
-- 
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list