Query regarding Cluster configuration of Radius server

Phil Mayers p.mayers at imperial.ac.uk
Mon Feb 18 16:54:43 CET 2008


Kartik CDS wrote:
> Thanks for the response Alan.
> But can you please let me know whether it is mentioned in the radius rfc 
> that the client should validate the source address?

The wording may not be explicit, but aside from radius secrets being 
bound to a server IP & port, the client-generated radius ID numbers are 
bound to a server IP & port, and radius clients are *required* to ignore 
reply packets with no outstanding request for that IP/port/ID tuple (see 
RFC2865 sections 4.2. RFC5080 section 2.2.2 clarifies this.

You need to use a different load-balancing setup; having the server 
reply from the VIP is fairly trivial in most cases. We do it. It's 
usually a case of ordering the load balancer to not translate the 
destination IP, binding an IP of $VIP/32 to the NIC and using the server 
listen {} statement.

> 
> Thanks & Best Regards,
> Kartik
> 
> On Feb 18, 2008 6:01 PM, Alan DeKok <aland at deployingradius.com 
> <mailto:aland at deployingradius.com>> wrote:
> 
>     Kartik CDS wrote:
>      > Radius client sends access-request to the ip address VIP
>      > The cluster is responding with IP1 or IP2 instead of VIP as the
>     source
>      > address, should the radius client allow such a response ?
> d
>      No.  You need to use "udpfromto" in the server.  See the "configure"
>     flags.
> 
>      > I mean to say whether the radius client should validate the source
>      > address ?? [ I couldnt find anything related to this in the RFC,
>     kindly
>      > help]
> 
>      Yes, it needs to validate the source address.
> 
>      Alan DeKok.
>     -
>     List info/subscribe/unsubscribe? See
>     http://www.freeradius.org/list/users.html
> 
> 
> 
> ------------------------------------------------------------------------
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list