[RADIATOR] AuthRADSEC and radsecproxy are incompatible!

Karl Gaissmaier karl.gaissmaier at uni-ulm.de
Wed Jul 17 01:58:21 CDT 2013


Hello,

Am 15.07.2013 10:07, schrieb Ralf Paffrath:
...
> anyway it's a bit proprietary that Radiator ignores the correct identifier in an Access-Reject packet.
>
> The Identifier is also part of RFC2865:
> Identifier
>        The Identifier field is one octet, and aids in matching requests
>        and replies.  The RADIUS server can detect a duplicate request if
>        it has the same client source IP address and source UDP port and
>        Identifier within a short span of time.

in case of connection oriented RADSEC/TCP proxying, it's problem to
decide on client addresses and client ports, It's always the same peer
socket and 8 bits can be very soon to short on a heavy used proxy
connection.

RADSEC/TCP or RADIUS/TCP came after RFC-2865, maybe we should make
an RFC addendum, that Proxy-State MUST ALWAYS be replied, even in
Status-Server requests.

Meanwhile we could/should add a config flag in radsecproxy to allow
this.

Best Regards
    Charly

-- 
Karl Gaissmaier
Universität Ulm / Germany


More information about the radiator mailing list