NAS-IP-Address, rlm_perl, and loopback

Alan DeKok aland at deployingradius.com
Thu Aug 21 17:57:32 CEST 2008


Adam W. Sewell wrote:
> I'm having a couple of issues particularly pertaining
> to the NAS-IP-Address variable that is passed from the
> switch. When a client sends the auth-request, we find
> that the authorize function of our perl script is being
> executed multiple times for the same request.

  It's being run once per packet.  Go read the debug output.

> I would think that the authorize function would only be
> called once.

  For PAP, CHAP, and other authentication methods that only use one
round trip.

> This also leads into the second issue I'm having that when
> the perl script does run, it doesn't always pass the same
> data in the NAS-IP-Address variable. Half the time it is the
> correct information and half the time it is 127.0.0.1. 

  Go read the debug output.  The NAS-IP-Address is sent by the NAS.
It's not invented by the server.  There's no magic here.

  If the NAS-IP-Address is different from packet to packet, it's likely
because the NAS is *sending* it differently for each packet.

  If there are multiple packets for one "authentication" session, it's
because you're doing EAP... which takes multiple round trips.  Again,
read the debugging output to see what's going on.

  Perhaps you could try talking about what you *want* to have happen,
rather than wondering why the server doesn't work the way you expect.
The server is doing exactly the right thing for the authentication
protocol you're using, and is doing exactly what you told it to do.

  Alan DeKok.



More information about the Freeradius-Users mailing list