Query regarding Cluster configuration of Radius server
Hello, I have a cluster setup of radius server. The cluster having ip adress as VIP and the cluster members are having IP1 and IP2. Radius client sends access-request to the ip address VIP The cluster is responding with IP1 or IP2 instead of VIP as the source address, should the radius client allow such a response ? I mean to say whether the radius client should validate the source address ?? [ I couldnt find anything related to this in the RFC, kindly help] Regards, Kartik
Kartik CDS wrote:
Radius client sends access-request to the ip address VIP The cluster is responding with IP1 or IP2 instead of VIP as the source address, should the radius client allow such a response ?
No. You need to use "udpfromto" in the server. See the "configure" flags.
I mean to say whether the radius client should validate the source address ?? [ I couldnt find anything related to this in the RFC, kindly help]
Yes, it needs to validate the source address. Alan DeKok.
Thanks for the response Alan. But can you please let me know whether it is mentioned in the radius rfc that the client should validate the source address? Thanks & Best Regards, Kartik On Feb 18, 2008 6:01 PM, Alan DeKok <aland@deployingradius.com> wrote:
Kartik CDS wrote:
Radius client sends access-request to the ip address VIP The cluster is responding with IP1 or IP2 instead of VIP as the source address, should the radius client allow such a response ?
No. You need to use "udpfromto" in the server. See the "configure" flags.
I mean to say whether the radius client should validate the source address ?? [ I couldnt find anything related to this in the RFC, kindly help]
Yes, it needs to validate the source address.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Kartik CDS wrote:
Thanks for the response Alan. But can you please let me know whether it is mentioned in the radius rfc that the client should validate the source address?
The wording may not be explicit, but aside from radius secrets being bound to a server IP & port, the client-generated radius ID numbers are bound to a server IP & port, and radius clients are *required* to ignore reply packets with no outstanding request for that IP/port/ID tuple (see RFC2865 sections 4.2. RFC5080 section 2.2.2 clarifies this. You need to use a different load-balancing setup; having the server reply from the VIP is fairly trivial in most cases. We do it. It's usually a case of ordering the load balancer to not translate the destination IP, binding an IP of $VIP/32 to the NIC and using the server listen {} statement.
Thanks & Best Regards, Kartik
On Feb 18, 2008 6:01 PM, Alan DeKok <aland@deployingradius.com <mailto:aland@deployingradius.com>> wrote:
Kartik CDS wrote: > Radius client sends access-request to the ip address VIP > The cluster is responding with IP1 or IP2 instead of VIP as the source > address, should the radius client allow such a response ? d No. You need to use "udpfromto" in the server. See the "configure" flags.
> I mean to say whether the radius client should validate the source > address ?? [ I couldnt find anything related to this in the RFC, kindly > help]
Yes, it needs to validate the source address.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Kartik CDS -
Phil Mayers