Radclient receives response messages from different source port than destination port of request messages
Alan DeKok
aland at deployingradius.com
Thu May 30 14:46:17 CEST 2013
rosario.mattera at accenture.com wrote:
> I would like to specify that I'm using radclient as a RADIUS proxy.
Nonsense. radclient is a client. It's not a server. It's not a proxy.
> I reach the RADIUS server through a load balancer.
That's fine.
> The server uses ports other than 1812 and 1813 in its responses because the matching between requests and responses is done through the Proxy-State attribute.
Then it's not a RADIUS server. RADIUS servers don't work like that.
> This behavior is implemented in a very famous European Telco operator.
That behavior is wrong.
Maybe they wanted to do something special with their systems. That's
fine. But they way they did it shows that they have no idea how RADIUS
works.
> In radclient is not implemented any mechanism to support this behavior?
No.
> Can you confirm that the current implementation of radclient, realizes the matching between requests and responses using also the source port of the responses?
radclient follows the RADIUS standards. It matches requests and
responses via src/dst IP/port. Doing anything else is broken.
It sounds like whoever built the "very famous European Telco operator"
network had no idea how RADIUS works. Rather than doing something
simple (and widely used, and widely tested), they resorted to custom
solutions which are not maintainable.
Alan DeKok.
More information about the Freeradius-Users
mailing list