Hi Harshit,
On 20.01.21, 08:14, "Harshit Jain" hjain@arista.com wrote:
Hi Fabian,
> 1. Would it break the radius protocol? Regarding your question, I started looking at RFC6614 [https://tools.ietf.org/html/rfc6614] - TLS for Radius (Radsec). It states that - Due to the use of one single TCP port for all packet types, it is required that a RADIUS/TLS server signal which types of packets are supported on a server to a connecting peer. When an unwanted packet of type 'CoA-Request' or 'Disconnect- Request' is received, a RADIUS/TLS server needs to respond with a 'CoA-NAK' or 'Disconnect-NAK', respectively. It got me confused. Does this mean that the radius server should use the same TLS connection as auth/acct to send CoA requests instead of creating a new one? Since there is one single port, does this mean there should be a single TCP connection between client and server for all packet types?
Indeed a bit confusing, and I think these RFCs aren't fully aligned. The primary topic here is how to know which messages a server (or proxy) understands. It refers to the UDP case where you can use ICMP port unreachable responses to figure out, if a port (and thus a specific message type) is not supported - which frankly, does not work in real life anyway since almost everybody blocks ICMP on firewalls.
Basically, you can always use multiple TCP connections (as you can always use multiple source ports for UDP, there is no restrictions on that), however the RFC implies that you might send a disconnect-request on the same connection as the original access-request, with reveres client/server roles. Even in a pure client/server setup (without proxy), by the time the radius server wants to send a disconnect-request, the TCP connection might be long gone and it needs to setup a new one (in reverse direction).
Tot that end, I might at least consider the possibility a that CoA requests can arrive on an existing (outgoing) connection.
Regards, Fabian
-- SWITCH Fabian Mauchle, Network Engineer Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland Phone +41 44 268 15 30, direct +41 44 268 15 39