Proxy with two interfaces configuration
Hello all, I am using freeradius 2.1.0 on two ubuntu machines, one of which is configured as server and one as proxy. The network is configured in ipv6 but that's not the problem here (everything regarding ipv6 works well now) I am trying to create a testbed where there is three machines: -one server, which listens to an interface -one client (for testing I am just using radclient) that sends auth requests to a proxy -one proxy, in the middle of the two other machines, that proxies auth requests to the server. This proxy has two interfaces, one connected to the client and one to the server. All following ipv6 addresses are to be read with global scope (but as I said, if they were ipv4 it would be the same I think) Server address : 2001::400 Proxy (interface to the server) 2001::300 Proxy (interface to the client) 2000::300 Client 2000:200 Now when I try to run the test what it happens is that the client sends the auth request, the proxy correctly forwards it to the server, and the server correctly authenticate the client. The problem is that the proxy sends the proxied message with the address 2000::300, not 2001::300. When the server tries to reply to the proxy, it tries to send the packet to 2000::300 but since it is a different network there is no route for it. I have been searching for a while in the users / radiusd.conf / clients.conf / proxy.conf for a option to set the proxy ip address when proxying messages. It seemed to me that I saw something like that , but if I did I just can't find it again. If it exists it would be sufficient to tell me where to find it and I will hopefully solve this issue on my own. I attach some config files: Server: Clients.conf # IPv6 Client client 2000::300 { nastype = other secret = testing123 shortname = relay } (if I set 2001::300 it tells me that it receives a packet from the unknown host 2000::300 and discards it) Radiusd.conf listen { # ipaddr = * ipv6addr = 2001::400 port = 0 type = auth } Proxy Clients.conf # IPv6 Client client 2000::200 { secret = testing123 shortname = mobile } Proxy.conf home_server rad_server { type = auth ipv6addr = 2001::400 port = 1812 secret =testing123 } home_server_pool my_auth { type = fail-over home_server = rad_server } realm example.com { auth_pool = my_auth } (example.com is the realm I use in the test) P.S: another quick question. It is possible with some logging option (or in other ways) to save the attributes that the server adds to the auth accept message locally in a file in the proxy machine? I saw that there is some options to add/modify the attributes in the reply, but it is possible to save them in a file? Thanks in advance for the help and sorry if I am missing out something obvious. Best Regards, -- D'Avella Stefano Bell Labs Alcatel-Lucent Centre de Villarceaux Route de Villejust 91625 NOZAY
P.S: another quick question. It is possible with some logging option (or in other ways) to save the attributes that the server adds to the auth accept message locally in a file in the proxy machine? I saw that there is some options to add/modify the attributes in the reply, but it is possible to save them in a file? I answered the second question reading with more accuracy the modules documentation. Thank you anyway. (The proxy problem is still there anyway) -- D'Avella Stefano Bell Labs Alcatel-Lucent Centre de Villarceaux Route de Villejust 91625 NOZAY
D'AVELLA STEFANO wrote:
All following ipv6 addresses are to be read with global scope (but as I said, if they were ipv4 it would be the same I think)
Server address : 2001::400 Proxy (interface to the server) 2001::300 Proxy (interface to the client) 2000::300 Client 2000:200
Now when I try to run the test what it happens is that the client sends the auth request, the proxy correctly forwards it to the server, and the server correctly authenticate the client. The problem is that the proxy sends the proxied message with the address 2000::300, not 2001::300. When the server tries to reply to the proxy, it tries to send the packet to 2000::300 but since it is a different network there is no route for it.
Then your routing tables are broken. You have a route FROM 2000::300 to the server. This is why that source IP is being chosen by the OS for proxied packets. You don't, however, have a route BACK, which is why the packets never make it back.
I have been searching for a while in the users / radiusd.conf / clients.conf / proxy.conf for a option to set the proxy ip address when proxying messages. It seemed to me that I saw something like that , but if I did I just can't find it again.
You can't fix routing issues by editing FreeRADIUS configuration files.
P.S: another quick question. It is possible with some logging option (or in other ways) to save the attributes that the server adds to the auth accept message locally in a file in the proxy machine? I saw that there is some options to add/modify the attributes in the reply, but it is possible to save them in a file?
See the "detail" module. Alan DeKok.
participants (2)
-
Alan DeKok -
D'AVELLA STEFANO