That's the way gnugk behaves. All (not only radius) authentication/accounting
modules and status line (CDRs, etc.) display source signalling address passed
in RAS messages or the signaling Setup message.
Providing the real address would require some source code reengineering,
but I think this would be a useful feature, so I will put it on my todo list:)
----- Original Message -----
From: "Sergey Sysoev" <lists@avtf.org>
Sent: Sunday, January 04, 2004 7:49 PM
> Hello guys! Could anyone explain me about Framed-IP-Address attribute
> in RadAliasAuth request?
>
> I have gnugk on 192.168.200.1 address, also VPN server here. Then I
> have VPN client with address 192.168.200.2 for connection to GK and
> also client workstation has some couple of others IP addresses, for
> example 192.168.182.95 (as shown in example below)
>
> You may see situatuon. I am run NetMeeting to connect 192.168.200.1
> GK. There is _only_ way to reach this address - client source
> 192.168.200.2, that is the rule.
>
> GK debug:
> ---------
>
> 2004/01/05 00:26:48.757 2 RasSrv.cxx(2171) GK Read from 192.168.200.2:2509
> 2004/01/05 00:26:48.760 3 RasSrv.cxx(2184) GK
> registrationRequest {
> requestSeqNum = 1
> protocolIdentifier = 0.0.8.2250.0.2
> discoveryComplete = FALSE
> callSignalAddress = 1 entries {
> [0]=ipAddress {
> ip = 4 octets {
> c0 a8 b6 5f ..._
> }
> port = 1720
> }
> }
> rasAddress = 1 entries {
> [0]=ipAddress {
> ip = 4 octets {
> c0 a8 b6 5f ..._
> }
> port = 2509
> }
> }
>
>
> You may see correct address 192.168.200.2 connection from. You may see
> that NetMeeting provide 192.168.182.95 address (equal to [c0 a8 b6 5f]
> in hex). That is NetMeeting issue, maybe that in not correct behavior
> because I can have 10 local addresses and I do not know why NetMeeting
> choose so..
>
> I am interested in GK behavior. Let's see request to radius server:
>
> Mon Jan 5 00:21:29 2004 : Debug: Thread 3 handling request 4, (1 handled so far)
>
> User-Name = "user"
> User-Password = "user"
> NAS-IP-Address = 127.0.0.1
> NAS-Identifier = "voip"
> NAS-Port-Type = Virtual
> Service-Type = Login-User
> Framed-IP-Address = 192.168.182.95
> Cisco-AVPair = "h323-ivr-out=terminal-alias:user;"
>
>
> You see that GK provide 'rasAddress' as Framed-IP-Address, but that is
> not correct to my mind. Am I wrong? I want to make authorization by
> alias _and_ IP address client connected from, but why should I check
> junk addresses by junk(?) client can form? So.. it is possible to
> alias 2nd fake IP address at client workstation interface and
> RadAliasAuth will eat it successful and will provide full access to
> account.
>
> If i am right there is a quite serious security threat. If not - is it
> possible to include option to .ini file like UseLinkIPAddress or any
> other name you like :), which would force GK to provide real
> connection addreess instead of rasAddress to radius server?
>
> Thank you!
>
> --
> Best regards,
> Sergey
-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
List: Openh323gk-users@lists.sourceforge.net
Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549
Homepage: http://www.gnugk.org/
