[RADIATOR] Radiator and radsecproxy, status-server and failover algo, one step forward
Karl Gaissmaier
karl.gaissmaier at uni-ulm.de
Sun Jul 14 13:40:15 CDT 2013
Hi Alex, hi radiator team,
Am 14.07.2013 19:48, schrieb Alan Buxey:
> Hi
>
> As an end site you really shouldn't be sending invalid realms to your
> national proxy... but there does seem to be something odd gong on here.
I sent it to test this situation. As an eduroam ServiceProvider I don't
know if a client is misconfigured. OK, nornmally I reject top-level
realms, like the used '@akad' in my test, but some visitors have for
example:
1272017248108413 at wlan.mnc001.mcc262.3gppnetwork.org
and this has the same result. As an endpoint SP, I can't filter
for all wrong @realms, I don't know them all ,-)
> . their system should be just sending back a straight access reject. If
> radsecproxy doesn't like extended proxy id (or the config doesn't allow
> it ) then that would be an issue
Yes, this is the issue.
I don't see the config of the federation-level-radius-proxy and the
admins are not very helpful, they state, thats a problem with Radiator
using extended Ids in the proxy-styte, e.g. they respomg with
RFC 5997, saying that Status-Server MUST NOT be proxied and therefore
the Proxy-State attribut isn't allowed.
>
> 4.4. Proxy Server Handling of Status-Server
>
>
> Many RADIUS servers can act as proxy servers, and can forward
> requests to another RADIUS server. Such servers MUST NOT proxy
> Status-Server packets. The purpose of Status-Server as specified
> here is to permit the client to query the responsiveness of a server
> with which it has a direct relationship. Proxying Status-Server
> queries would negate any usefulness that may be gained by
> implementing support for them.
>
> Proxy servers MAY be configured to respond to Status-Server queries
> from clients, and they MAY act as clients sending Status-Server
> queries to other servers. However, those activities MUST be
> independent of one another.
What shall I do, Radiators AuthBy RADSEC Identifiers are always based
on proxy-State.
What does the radiator tesm says about RFC 5997.
Best Regards
Charly
More information about the radiator
mailing list