Source IP address for proxy requests

Peter Nixon listuser at peternixon.net
Tue Sep 26 16:04:25 CEST 2006


On Tue 26 Sep 2006 16:26, Nicolas Baradakis wrote:
> Peter Nixon wrote:
> > On Tue 26 Sep 2006 11:55, Nicolas Baradakis wrote:
> > > However, a proxy request is different, because it's a new outgoing
> > > packet. In this case, we don't force the source IP in FreeRADIUS and
> > > we shouldn't do so because the NAS and the realm server are possibly
> > > on a different network. (it depends on the local network configuration)
> > >
> > > The network configuration of the host is outside the scope of
> > > FreeRADIUS. The correct way to solve the problem is to fix the
> > > network routes on the host, so the outgoing requests have the
> > > desired source IP.
> >
> > Yes you are correct. Abviously I didn't read the thread in enough
> > depth. It does bring up the issue that we maybe should have an optional
> > proxy_source_ip config option..
>
> I don't think it's a good idea, because all the realm servers may not be
> on the same network. IMHO FreeRADIUS doesn't have to cope with the network
> configuration of the host: it only has to set the destination IP, and the
> rest is handled by the kernel.

It is not a critical option (for me) at present, but it is usefull and it 
should default to * of course. If someone doesn't have all their realm 
servers on the same "side" of the server then they should know that.

A more flexible option of course would be to have an internal attribute 
like "Proxy-Source-IP". The it could be specified per request for people who 
wish to..

Cheers

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060926/e301ac4a/attachment.pgp>


More information about the Freeradius-Users mailing list