freeradius developer list

Arran Cudbard-Bell | 2 May 2007 12:55

Picon

Client IP Address , Packet-Src-IP-Address

Hi,

Just had a thought.

Currently with internal EAP proxying

copy_request_to_tunnel = yes
use_tunneled_reply = yes

Mean that when the contents of the eap packet is proxied internally
the attributes from the radius packet get copied to the proxy request.

And that the final set of reply attributes is taken directly from the 
reply attributes sent back from the internal proxy.

Which means

you can use

DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Autz-Type := "Eap-Internal"

         Autz-Type eap-internal {
                 mschap
                 # Grab NT-Password from directory for use in MSChap-V2
                 ldap
                 # Read Authorisation groups from SQL Server
                 sql
         }

Which speeds things up a great deal when doing EAP...

(Continue reading)

Alan DeKok | 2 May 2007 14:19

Re: Client IP Address , Packet-Src-IP-Address

Arran Cudbard-Bell wrote:
...
>          Autz-Type eap-internal {
>                  mschap
>                  # Grab NT-Password from directory for use in MSChap-V2
>                  ldap
>                  # Read Authorisation groups from SQL Server
>                  sql
>          }
>
> Which speeds things up a great deal when doing EAP...

  In the CVS head, I'm looking into adding a "tunnel is ready for
credentials" flag inside of the EAP module.  It will normally return
"updated" during ssl setup, and "ok" when the current packet needs
authentication credentials.

> Unfortunately this breaks anything which relies on Packet-Src-IP-Address 
> / Client-IP-Address
> 
> As they will be 127.0.0.1 *sigh*
> 
> Can you see any way of getting round this ?

  Hmm.... src/main/util.c has request_alloc_fake(), which initializes
the tunneled request.  It may be worth changing it to copy the outer
tunnel source/dest IP's and ports.

  Alan DeKok.
--

(Continue reading)

Arran Cudbard-Bell | 2 May 2007 17:23

Picon

Re: Client IP Address , Packet-Src-IP-Address


>   Hmm.... src/main/util.c has request_alloc_fake(), which initializes
> the tunneled request.  It may be worth changing it to copy the outer
> tunnel source/dest IP's and ports.
> 

So

 <at>  <at>  -385,8 +385,8  <at>  <at> 
     */
    request->packet->sockfd = -1;
    request->packet->src_ipaddr.af = AF_INET;
-  request->packet->src_ipaddr.ipaddr.ip4addr.s_addr = 
htonl(INADDR_LOOPBACK);
-  request->packet->dst_ipaddr = request->packet->src_ipaddr;
+  request->packet->src_ipaddr.ipaddr.ip4addr.s_addr = 
oldreq->packet->src_ipaddr.ipaddr.ip4addr.s_addr
+  request->packet->dst_ipaddr = htonl(INADDR_LOOPBACK);;
    request->packet->src_port = request->number >> 8;

    /*
 <at>  <at>  -408,7 +408,7  <at>  <at> 
     *   Fill in the fake reply, based on the fake request.
     */
    request->reply->sockfd = request->packet->sockfd;
-  request->reply->dst_ipaddr = request->packet->src_ipaddr;
+  request->reply->dst_ipaddr = request->packet->dst_ipaddr;
    request->reply->dst_port = request->packet->src_port;
    request->reply->id = request->packet->id;
    request->reply->code = 0; /* UNKNOWN code */

(Continue reading)

Alan DeKok | 2 May 2007 18:38

Re: Client IP Address , Packet-Src-IP-Address

Arran Cudbard-Bell wrote:
...
> So
> 
>  <at>  <at>  -385,8 +385,8  <at>  <at> 
...
> ?

  Something like that, yes.

> Would it be worth making this change in the cvs head ?

  Very likely.  I'll see what I can do.

  Oh, the EAP module now returns "ok" in the authorize section for the
TLS methods, and "updated" or "noop" otherwise.  This allows the outer
tunnel sessions to avoid all of the nasty DB accesses for the TLS setup
packets.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

Arran Cudbard-Bell | 3 May 2007 11:01

Picon

Re: Client IP Address , Packet-Src-IP-Address


>> Would it be worth making this change in the cvs head ?
>>     
>
>   Very likely.  I'll see what I can do.
>   
Excellent, thanks.
>   Oh, the EAP module now returns "ok" in the authorize section for the
> TLS methods, and "updated" or "noop" otherwise.  This allows the outer
> tunnel sessions to avoid all of the nasty DB accesses for the TLS setup
> packets.
>   
<g>

It makes EAP authentication insanely fast. This will probably be the 
thing that gives people the biggest speed boost
upgrading *** > 2.0.
>   Alan DeKok.
> --
>   http://deployingradius.com       - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
>

Return

Return to gmane.comp.freeradius.devel.

Project Web Page

freeradius developer list

Search Archive

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane