D'AVELLA STEFANO wrote:
All following ipv6 addresses are to be read with global scope (but as I said, if they were ipv4 it would be the same I think)
Server address : 2001::400 Proxy (interface to the server) 2001::300 Proxy (interface to the client) 2000::300 Client 2000:200
Now when I try to run the test what it happens is that the client sends the auth request, the proxy correctly forwards it to the server, and the server correctly authenticate the client. The problem is that the proxy sends the proxied message with the address 2000::300, not 2001::300. When the server tries to reply to the proxy, it tries to send the packet to 2000::300 but since it is a different network there is no route for it.
Then your routing tables are broken. You have a route FROM 2000::300 to the server. This is why that source IP is being chosen by the OS for proxied packets. You don't, however, have a route BACK, which is why the packets never make it back.
I have been searching for a while in the users / radiusd.conf / clients.conf / proxy.conf for a option to set the proxy ip address when proxying messages. It seemed to me that I saw something like that , but if I did I just can't find it again.
You can't fix routing issues by editing FreeRADIUS configuration files.
P.S: another quick question. It is possible with some logging option (or in other ways) to save the attributes that the server adds to the auth accept message locally in a file in the proxy machine? I saw that there is some options to add/modify the attributes in the reply, but it is possible to save them in a file?
See the "detail" module. Alan DeKok.