----- Original Message ----- From: "Alexandru Coseru" <alex_spam@distinctgroup.net> Sent: Wednesday, July 16, 2003 1:24 PM Subject: Re: [Openh323gk-users] Bug in radius ? > "So I put in Framed-IP-Address IP of the call origin, not destination..." > Well , I guess that this is a security "bug".. > If so , I have to associate the username "gigel" with the both ip's.... > In Radius it would be: gigel : > Framed-Ip-Address:192.168.0.135 > gigel : > Framed-Ip-Address:192.168.0.136 > But ..... > If host 192.168.0.135 changes his alias from "alex" to gigel , then it > will be authentificated in gatekeeper , and all the accounting for that IP > would be done > for user "gigel" .......... And so , the user with > 192.168.0.135 would happily talk to everbody , because 192.168.0.136 is > paying the bill.. :) Real call authentication/authorization should take place only for Access-Requests with Service-Type = Login, not Call-Check. But you convinced me to change Framed-IP-Address behaviour, should be in cvs soon along with NM fix. Anyway, even with Framed-IP-Address being always associated with Username, your network is not more secure at all. Imagine me behing NAT:) I change my IP to 192.168.0.136, alias to gigel and sit talking happily to everybody too, unless you have some firewall rules for each your customer. I have never liked alias authentication... --- Michal Zygmuntowicz ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ List: Openh323gk-users@lists.sourceforge.net Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549 Homepage: http://www.gnugk.org/
