Page MenuHomePhabricator

Specify RADIUS source ip
Closed, ResolvedPublicFEATURE REQUEST

Description

RADIUS servers could be hardened by only allowing certain IP addresses to connect. As of now the radius client used e.g. for L2TP VPN auth will bind to address *. Incoming connections to the freeradius server will use the nearest interface IP address pointing to the radius server - making it error prone on OSPF networks when a link fails.

Instead of allowing all IPs from a router to connect to the RADIUS server, we should implement support for a source-ip node.

Freeradius-client used in VyOS 1.2 supports binding to an IP address:

# local address from which radius packets have to be sent
bindaddr *

Cisco uses something similar in IOS:

BR1.xxx(config)#ip radius ?
  source-interface  Specify interface for source address in RADIUS packets

BR1.xxx(config)# ip radius source-interface loopback0

https://github.com/FreeRADIUS/freeradius-client/blob/master/etc/radiusclient.conf.in#L83-L84

Details

Difficulty level
Easy (less than an hour)
Version
-
Why the issue appeared?
Will be filled on close
c-po created this task.Sep 4 2018, 5:49 AM
syncer triaged this task as Normal priority.Sep 25 2018, 2:07 PM
c-po claimed this task.Nov 9 2018, 3:09 PM
c-po closed this task as Resolved.
c-po changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).