NAS-IP vs srcIP
James J J Hooper
jjj.hooper at bristol.ac.uk
Thu Apr 1 23:12:09 CEST 2010
--On 01 April 2010 09:39 -0700 Marlon Duksa <mduksa at gmail.com> wrote:
> Hi everyone -
> Can anyone think of a reason why the NAS-IP and the scr-IP of the
> access-req packet should not be the same?
>
> If the NAS-IP is configurable in the NAS, then the NAS-IP can be set to
> the IP address other than the src-ip of the NAS that is used in reqular
> FreeRadius accounting/authorization packets. The source IP address of the
> NAS is normally the native interface address from which access-req was
> sent (but it can be configurable).
>
> The NAS-IP would be used to address NAS in CoA requests sent from the
> FreeRadius. We need this behavior to address certain deployment
> requirements.
Radius proxying!
An incoming radius packet may come via a proxy. Therefore that packet's
src.ip = the proxies IP.
The NAS-IP-Address attribute is set to whatever the NAS wants to send.
Whether you can address a COA to the NAS-IP-Address depends on whether:
* The NAS chose/was configured to send the IP it's COA listener is bound to
in the NAS-IP-Address attribute.
* Whether you can access that IP/port directly - If your NAS is configured
only to talk via a RADIUS proxy, and everything else is firewalled out,
direct replies (COA or otherwise) won't work.
-James
--
James J J Hooper
Network Specialist
Information Services
University of Bristol
http://www.wireless.bristol.ac.uk http://www.jamesjj.net
--
More information about the Freeradius-Users
mailing list