[RADIATOR] AuthRADSEC and radsecproxy are incompatible!
Karl Gaissmaier
karl.gaissmaier at uni-ulm.de
Wed Jul 17 01:58:21 CDT 2013
Hello,
Am 15.07.2013 10:07, schrieb Ralf Paffrath:
...
> anyway it's a bit proprietary that Radiator ignores the correct identifier in an Access-Reject packet.
>
> The Identifier is also part of RFC2865:
> Identifier
> The Identifier field is one octet, and aids in matching requests
> and replies. The RADIUS server can detect a duplicate request if
> it has the same client source IP address and source UDP port and
> Identifier within a short span of time.
in case of connection oriented RADSEC/TCP proxying, it's problem to
decide on client addresses and client ports, It's always the same peer
socket and 8 bits can be very soon to short on a heavy used proxy
connection.
RADSEC/TCP or RADIUS/TCP came after RFC-2865, maybe we should make
an RFC addendum, that Proxy-State MUST ALWAYS be replied, even in
Status-Server requests.
Meanwhile we could/should add a config flag in radsecproxy to allow
this.
Best Regards
Charly
--
Karl Gaissmaier
Universität Ulm / Germany
More information about the radiator
mailing list