(PM) RADIUS Question, but don't shoot.

alex@nac.net
Fri, 19 Feb 1999 05:22:00 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Richard Morrell: "Re: (PM) ComOS version"
Previous message: P.Somlyo: "(PM) PPP with Portmaster 2e"

Do not reply that this is a 'portmaster-radius' question, because it has
nothing to do with the RADIUS server. This is a Radius-on-PM3 implentation
question.

We run Merit RADIUS. We have recently begun to but loopback interfaces on
servers, and assign /32s to them that never move. We do this so it is easy
to move them.

For instance:

nitrogen:/etc/merit$ ifconfig -a
de0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
inet 209.123.20.27 netmask 0xffffff00 broadcast 209.123.20.255
ether 00:40:05:41:7e:80
media: autoselect (10baseT/UTP) status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet 209.123.12.101 netmask 0xffffffff

209.123.12.101 is a /32 that is auth1.nac.net. We want to point the
portmasters to this, so that if the ethernet (de0) address changes, we
won't have to 'set auth bleh.bleh.bleh.bleh' on 75 portmasters.

The only reason I am posting this message is to ask the following
question: Does the portmaster care if the source address of the
access-reply packet is different than that of the ip address of "set auth
x.x.x.x" ?

I ask this because merit radius (and, in fact everyone I've seen except
IEA RadiusNT) is stupid and won't let you specify what interface or ip to
bind to on the machine.

e.g.:

dial1.new> set auth 209.123.12.101

Then, someone logs in:

nitrogen:/etc/merit$ tcpdump host dial1.new.nac.net
tcpdump: listening on de0
05:19:26.516756 dial1.new.nac.net.fujitsu-dtc > auth1.nac.net.radius: udp 129
05:19:26.534007 nitrogen.nac.net.radius > dial1.new.nac.net.fujitsu-dtc: udp 122

nitrogen.nac.net is the de0; auth1.nac.net is the alias on lo0.

Empiracally, it seems to work fine. But I am curious to know if there are
any gotchas on this approach.

Thanks!

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Atheism is a non-prophet organization. I route, therefore I am.
Alex Rubenstein, alex@nac.net, KC2BUO, ISP/C Charter Member
Father of the Network and Head Bottle-Washer
Net Access Corporation, 9 Mt. Pleasant Tpk., Denville, NJ 07834
Don't choose a spineless ISP; we have more backbone! http://www.nac.net
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --

-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>

Next message: Richard Morrell: "Re: (PM) ComOS version"
Previous message: P.Somlyo: "(PM) PPP with Portmaster 2e"