no Client-IP-Address in packet
Dear everybody, I've installed the radius 's CVS version of 08-23-06. I've this architecture : client < ====> AP <====> Radius A <====> Radius B 802.1X proxying The client does not have adress of IP, it recover his IP address by the DHCP server installed in radius server A, after being authenticated. I'm doing an EAP/TTLS authentication. When I proxied the request from to server A to the server B, there wasn't Client-IP-Address in the packet. I thought radius server A would have put its own ip address for Client-IP-Address attribute before sending the packet to server B. So, I would like to know if it's a normal situation and in this case, how I could insert the Client-IP-Address attribute in the packet. Thanks in advance. Your sincerly. --------------------------------- Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
Mitaine Yoann wrote:
Dear everybody,
I've installed the radius 's CVS version of 08-23-06.
I've this architecture : client < ====> AP <====> Radius A <====> Radius B 802.1X proxying
The client does not have adress of IP, it recover his IP address by the DHCP server installed in radius server A, after being authenticated. I'm doing an EAP/TTLS authentication.
Client-IP-Address refers to the client of the radius server, not the client of the NAS
When I proxied the request from to server A to the server B, there wasn't Client-IP-Address in the packet.
Client-IP-Address is added by the preprocess module. Have you removed this from "authorize"? If so, don't do that.
Phil Mayers wrote:
Mitaine Yoann wrote:
When I proxied the request from to server A to the server B, there wasn't Client-IP-Address in the packet.
Client-IP-Address is added by the preprocess module. Have you removed this from "authorize"? If so, don't do that.
Client-IP-Address is an internal freeRADIUS attribute, and is not defined in the RFC's. Hence it is never proxied to another server. In fact, the "Client-IP-Address" for server B in the example above would be the address of server A, and not the NAS. regards, Mike
Michael Mitchell <mitchell.michael@bigpond.com> a écrit :Client-IP-Address is an internal freeRADIUS attribute, and is not defined in the RFC's. Hence it is never proxied to another server. In fact, the "Client-IP-Address" for server B in the example above would be the address of server A, and not the NAS. Exactly, but it would seem that never arrives. Could you tell me, how to make so that the Client-IP-Address have the IP address value of server A . your sincerly --------------------------------- Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
Mitaine Yoann wrote:
*/Michael Mitchell <mitchell.michael@bigpond.com>/* a écrit :
Client-IP-Address is an internal freeRADIUS attribute, and is not defined in the RFC's. Hence it is never proxied to another server.
Yes, I am aware of that. I said that, in fact.
In fact, the "Client-IP-Address" for server B in the example above would be the address of server A, and not the NAS.
Exactly, but it would seem that never arrives. Could you tell me, how to make so that the Client-IP-Address have the IP address value of server A .
Don't remove the preprocess module from authorize.
Phil Mayers <p.mayers@imperial.ac.uk> a écrit : Mitaine Yoann wrote:
*/Michael Mitchell /* a écrit :
Client-IP-Address is an internal freeRADIUS attribute, and is not defined in the RFC's. Hence it is never proxied to another server.
Yes, I am aware of that. I said that, in fact.
In fact, the "Client-IP-Address" for server B in the example above would be the address of server A, and not the NAS.
Exactly, but it would seem that never arrives. Could you tell me, how to make so that the Client-IP-Address have the IP address value of server A .
Don't remove the preprocess module from authorize. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html the only problem is that "preprocess" is present in the authorize section in the radiusd.conf file of the radius server A : authorize { preprocess suffix eap files Autz-Type LDAP { ldap } } so I don't understand when a proxying request arrives, why the server B didn't match the rule in the users file : DEFAULT Huntgroup-Name == "foo", Ldap-Group == "interne", Autz-Type := Ldap where foo Client-IP-Address == x.x.x.x there is perhaps a bug in the version which I use? --------------------------------- Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
Dear everybody, In my previous email , I forgot to say that when I received a proxing packet, I tried to match a rule on the radius server B like : DEFAULT Huntgroup-Name == "foo", Autz-Type := Ldap where foo is defining in huntgroups file as : foo Client-IP-Address == x.x.x.x in the users file. But this one hadn't been matched. If somebody has an idea...? Mitaine Yoann <ymitaine@yahoo.fr> a écrit : Dear everybody, I've installed the radius 's CVS version of 08-23-06. I've this architecture : client < ====> AP <====> Radius A <====> Radius B 802.1X proxying The client does not have adress of IP, it recover his IP address by the DHCP server installed in radius server A, after being authenticated. I'm doing an EAP/TTLS authentication. When I proxied the request from to server A to the server B, there wasn't Client-IP-Address in the packet. I thought radius server A would have put its own ip address for Client-IP-Address attribute before sending the packet to server B. So, I would like to know if it's a normal situation and in this case, how I could insert the Client-IP-Address attribute in the packet. Thanks in advance. Your sincerly. --------------------------------- Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --------------------------------- Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
Mitaine Yoann wrote:
In my previous email , I forgot to say that when I received a proxing packet, I tried to match a rule on the radius server B like : DEFAULT Huntgroup-Name == "foo", Autz-Type := Ldap where foo is defining in huntgroups file as : foo Client-IP-Address == x.x.x.x in the users file. But this one hadn't been matched. If somebody has an idea...?
Have you run the server in debug mode to see what it is doing? radiusd -X As Phil said "Client-IP-Address is added by the preprocess module. Have you removed this from "authorize"? If so, don't do that." The huntgroups file is also processed in the preprocess module, so if you have removed preprocess from the authorize section then your configuration wont work anyway.
participants (4)
-
Michael Mitchell -
Mitaine Yoann -
Nicolas Baradakis -
Phil Mayers