Questions about proxy radius on multihomed host

Kostas Zorbadelos kzorba at otenet.gr
Fri Dec 1 17:46:24 CET 2006 

Hello to everyone.

I have a question regarding freeradius proxying. My setup is
freeradius 1.1.3 on Solaris 9. I have a very simple proxy
configuration. The setup is a bit 'weird' in the sense that I have a
freeradius server on the machine that acts as a proxy to another
radius server running on the same machine (different IP).

So the setup is described as 

                Solaris 9 Host
----------------------------------------------
|     IP1                           IP2      |   
|  Freeradius    <---Proxy--->  Other Radius |
|                                            |
----------------------------------------------

The Solaris host contains 2 IPs, freeradius is configured with the
listen directive to accept authentication requests on IP1, while the
other server is listening on IP2.

In the other radius, I have configured as client the IP1 but I notice
several failures. My question is:

on a multihomed Solaris host when radius packets are proxied what is
their source IP? Is it IP1 or it could also be IP2?

I took a look at the sources where I see that in proxy.c a rad_send()
is used to actually send the packet. rad_send() uses sendto() unless
WITH_UDPFROMTO is defined in which case sendfromto() is used. In my
case, WITH_UDPFROMTO is undefined.

sendfromto() is defined in freeradius sources with comments that it
works on Linux and FreeBSD 5.x. I have not seen any configuration
option that sets the source address of outgoing packets, in case of
multihomed hosts. There is only the following comment in radiusd.conf: 

#  bind_address:  Make the server listen on a particular IP address, and
#  send replies out from that address.  This directive is most useful
#  for machines with multiple IP addresses on one interface.
#
#  It can either contain "*", or an IP address, or a fully qualified
#  Internet domain name.  The default is "*"
#
#  As of 1.0, you can also use the "listen" directive.  See below for
#  more information.
#

Can I assume that outgoing packets use as source address the one
listed in the listen directive? 

Thanks in advance,

Kostas

-- 
  Kostas Zorbadelos
  m at il contact: kzorba (at) otenet.gr
  
  Out there in the darkness, out there in the night
  out there in the starlight, one soul burns brighter
  than a thousand suns.

More information about the Freeradius-Users mailing list