Query regarding Cluster configuration of Radius server
Phil Mayers
p.mayers at imperial.ac.uk
Mon Feb 18 16:54:43 CET 2008
Kartik CDS wrote:
> Thanks for the response Alan.
> But can you please let me know whether it is mentioned in the radius rfc
> that the client should validate the source address?
The wording may not be explicit, but aside from radius secrets being
bound to a server IP & port, the client-generated radius ID numbers are
bound to a server IP & port, and radius clients are *required* to ignore
reply packets with no outstanding request for that IP/port/ID tuple (see
RFC2865 sections 4.2. RFC5080 section 2.2.2 clarifies this.
You need to use a different load-balancing setup; having the server
reply from the VIP is fairly trivial in most cases. We do it. It's
usually a case of ordering the load balancer to not translate the
destination IP, binding an IP of $VIP/32 to the NIC and using the server
listen {} statement.
>
> Thanks & Best Regards,
> Kartik
>
> On Feb 18, 2008 6:01 PM, Alan DeKok <aland at deployingradius.com
> <mailto:aland at deployingradius.com>> wrote:
>
> Kartik CDS wrote:
> > Radius client sends access-request to the ip address VIP
> > The cluster is responding with IP1 or IP2 instead of VIP as the
> source
> > address, should the radius client allow such a response ?
> d
> No. You need to use "udpfromto" in the server. See the "configure"
> flags.
>
> > I mean to say whether the radius client should validate the source
> > address ?? [ I couldnt find anything related to this in the RFC,
> kindly
> > help]
>
> Yes, it needs to validate the source address.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list