Hello guys! Could anyone explain me about Framed-IP-Address attribute
in RadAliasAuth request?
I have gnugk on 192.168.200.1 address, also VPN server here. Then I
have VPN client with address 192.168.200.2 for connection to GK and
also client workstation has some couple of others IP addresses, for
example 192.168.182.95 (as shown in example below)
You may see situatuon. I am run NetMeeting to connect 192.168.200.1
GK. There is _only_ way to reach this address - client source
192.168.200.2, that is the rule.
GK debug:
---------
2004/01/05 00:26:48.757 2 RasSrv.cxx(2171) GK Read from 192.168.200.2:2509
2004/01/05 00:26:48.760 3 RasSrv.cxx(2184) GK
registrationRequest {
requestSeqNum = 1
protocolIdentifier = 0.0.8.2250.0.2
discoveryComplete = FALSE
callSignalAddress = 1 entries {
[0]=ipAddress {
ip = 4 octets {
c0 a8 b6 5f ..._
}
port = 1720
}
}
rasAddress = 1 entries {
[0]=ipAddress {
ip = 4 octets {
c0 a8 b6 5f ..._
}
port = 2509
}
}
You may see correct address 192.168.200.2 connection from. You may see
that NetMeeting provide 192.168.182.95 address (equal to [c0 a8 b6 5f]
in hex). That is NetMeeting issue, maybe that in not correct behavior
because I can have 10 local addresses and I do not know why NetMeeting
choose so..
I am interested in GK behavior. Let's see request to radius server:
Mon Jan 5 00:21:29 2004 : Debug: Thread 3 handling request 4, (1 handled so far)
User-Name = "user"
User-Password = "user"
NAS-IP-Address = 127.0.0.1
NAS-Identifier = "voip"
NAS-Port-Type = Virtual
Service-Type = Login-User
Framed-IP-Address = 192.168.182.95
Cisco-AVPair = "h323-ivr-out=terminal-alias:user;"
You see that GK provide 'rasAddress' as Framed-IP-Address, but that is
not correct to my mind. Am I wrong? I want to make authorization by
alias _and_ IP address client connected from, but why should I check
junk addresses by junk(?) client can form? So.. it is possible to
alias 2nd fake IP address at client workstation interface and
RadAliasAuth will eat it successful and will provide full access to
account.
If i am right there is a quite serious security threat. If not - is it
possible to include option to .ini file like UseLinkIPAddress or any
other name you like :), which would force GK to provide real
connection addreess instead of rasAddress to radius server?
Thank you!
--
Best regards,
Sergey
-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
List: Openh323gk-users@lists.sourceforge.net
Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549
Homepage: http://www.gnugk.org/
