Proxy with two interfaces configuration
Alan DeKok
aland at deployingradius.com
Fri Feb 13 09:56:36 CET 2009
D'AVELLA STEFANO wrote:
> All following ipv6 addresses are to be read with global scope (but as I
> said, if they were ipv4 it would be the same I think)
>
> Server address : 2001::400
> Proxy (interface to the server) 2001::300
> Proxy (interface to the client) 2000::300
> Client 2000:200
>
> Now when I try to run the test what it happens is that the client sends
> the auth request, the proxy correctly forwards it to the server, and the
> server correctly authenticate the client. The problem is that the proxy
> sends the proxied message with the address 2000::300, not 2001::300.
> When the server tries to reply to the proxy, it tries to send the packet
> to 2000::300 but since it is a different network there is no route for it.
Then your routing tables are broken. You have a route FROM 2000::300
to the server. This is why that source IP is being chosen by the OS for
proxied packets. You don't, however, have a route BACK, which is why
the packets never make it back.
> I have been searching for a while in the users / radiusd.conf /
> clients.conf / proxy.conf for a option to set the proxy ip address when
> proxying messages. It seemed to me that I saw something like that , but
> if I did I just can't find it again.
You can't fix routing issues by editing FreeRADIUS configuration files.
> P.S: another quick question. It is possible with some logging option (or
> in other ways) to save the attributes that the server adds to the auth
> accept message locally in a file in the proxy machine? I saw that there
> is some options to add/modify the attributes in the reply, but it is
> possible to save them in a file?
See the "detail" module.
Alan DeKok.
More information about the Freeradius-Users
mailing list