8:09 a.m.
Hi Harshit,
On 20.01.21, 08:14, "Harshit Jain" <hjain(a)arista.com> wrote:
Hi Fabian,
1. Would it break the radius protocol?
Regarding your question, I started looking at RFC6614
[https://tools.ietf.org/html/rfc6614] - TLS for Radius (Radsec). It states that -
Due to the use of one single TCP port for all packet types, it is
required that a RADIUS/TLS server signal which types of packets are
supported on a server to a connecting peer. When an unwanted packet of type
'CoA-Request' or 'Disconnect-
Request' is received, a RADIUS/TLS server needs to respond with a
'CoA-NAK' or 'Disconnect-NAK', respectively.
It got me confused. Does this mean that the radius server should use the same TLS
connection as auth/acct to send CoA requests instead of creating a new one? Since there is
one single port, does this mean there should be a single TCP connection between client and
server for all packet types?
Indeed a bit confusing, and I think these RFCs aren't fully aligned. The primary topic
here is how to know which messages a server (or proxy) understands. It refers to the UDP
case where you can use ICMP port unreachable responses to figure out, if a port (and thus
a specific message type) is not supported - which frankly, does not work in real life
anyway since almost everybody blocks ICMP on firewalls.
Basically, you can always use multiple TCP connections (as you can always use multiple
source ports for UDP, there is no restrictions on that), however the RFC implies that you
might send a disconnect-request on the same connection as the original access-request,
with reveres client/server roles. Even in a pure client/server setup (without proxy), by
the time the radius server wants to send a disconnect-request, the TCP connection might be
long gone and it needs to setup a new one (in reverse direction).
Tot that end, I might at least consider the possibility a that CoA requests can arrive on
an existing (outgoing) connection.
Regards,
Fabian
--
SWITCH
Fabian Mauchle, Network Engineer
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
Phone +41 44 268 15 30, direct +41 44 268 15 39