This means the PM2ER is both NAS and CPE router, so it is configured
with W1 having an address in my administrative IP space and ether0
having an address in the host customer's IP address space.
Problem: RADIUS and syslog packets from the PM2ER sent out the W1 port
have the ether0 address as their source address.
This is not good! It makes these packets come from the customer's
address space.
PM3s do this too. Relatively unimportant things like pings from the
PMs get it right, with source address being that of the interface the
packet is sent out. Just the key admin things - things that most
especially ought to do it right - do it wrong.
Since I don't let packets with source addresses outside my admin space
get near my RADIUS servers, I spent a long morning chasing a lot of
dead ends trying to figure out why users could not get authenticated.
-- Dick St.Peters, stpeters@NetHeaven.com Gatekeeper, NetHeaven, Saratoga Springs, NY, 1-800-910-6671 (voice) Saratoga/Albany/Amsterdam/BlueMountain/Cobleskill/Greenwich/ GlensFalls/LakePlacid/NorthCreek/Plattsburgh/... First Internet service based in the 518 area code - To unsubscribe, email 'majordomo@livingston.com' with 'unsubscribe portmaster-users' in the body of the message.