VMware Horizon Community
wstemb
Contributor
Contributor
‎04-07-2017 04:56 AM
Jump to solution

Access Point 2.8.1, Radius authentication, Access Request NAS-IP-Address= 127.0.0.1

Why is VMware Access Point 2.8.1 (the same is in 2.9.0), when authenticating on a radius server, presenting itself on 127.0.0.1 address in the Access-Request?

It is possible to force a real IP address of the virtual appliance?

From the packet dump (Access point -> Radius)

Code: Access-Request

....

Attribute Value Pairs:

    AVP:l=6 t=NAS-IP-Address(4) 127.0.0.1

   ...

Labels (1)
Labels
0 Kudos
1 Solution

Accepted Solutions
markbenson
VMware Employee
VMware Employee
‎04-10-2017 06:12 AM
Jump to solution

This support may be added in a future version - i.e. have the option to have it disguised, set to the real IP address of Access Point for any of the 3 NICs (depending on which one is used for the RADIUS communication) or to allow it to specified as any specific IP address.

I was just answering the question for current shipping UAG 2.9 and previous AP versions. For selecting shared secret and replying to RADIUS requests, the source IP address in the UDP/IP packet is used.

Mark

View solution in original post

0 Kudos
3 Replies
markbenson
VMware Employee
VMware Employee
‎04-07-2017 06:14 AM
Jump to solution

No. It's not possible. The value of NAS-IP-Address is not configurable or changeable to the real IP address. The source IP address in the RADIUS Access-Request UDP datagram is set to the UAG (Access Point) IP address and that is the value that is used by a RADIUS server for selection of the shared secret and for sending the RADIUS response.

We may provide configuration options for this in future, but I'm just answering this for the current versions of Unified Access Gateway and Access Point.

0 Kudos
wstemb
Contributor
Contributor
‎04-10-2017 04:25 AM
Jump to solution

Thank you.

But isn't  the 127.0.0.1 (localhost) in the NAS-IP-Address of the VMware Access point a wrong thing to do?

From:

RFC 2865 - Remote Authentication Dial In User Service (RADIUS)

5.4. NAS-IP-Address

  Description

  This Attribute indicates the identifying IP Address of the NAS

  which is requesting authentication of the user, and SHOULD be

  unique to the NAS within the scope of the RADIUS server. NAS-IP-

  Address is only used in Access-Request packets. Either NAS-IP-

  Address or NAS-Identifier MUST be present in an Access-Request

  packet.

I have a radius server which authorize clients differently by the users groups and the NAS-IP-Address field. In this way (returning localhost) it can't discriminate the Access Point from the real localhost request (or it must be done by workarounds).

I think the right way will be to return the right IP address of the VMware Access Point (even not to have it configurable!).

0 Kudos
markbenson
VMware Employee
VMware Employee
‎04-10-2017 06:12 AM
Jump to solution

This support may be added in a future version - i.e. have the option to have it disguised, set to the real IP address of Access Point for any of the 3 NICs (depending on which one is used for the RADIUS communication) or to allow it to specified as any specific IP address.

I was just answering the question for current shipping UAG 2.9 and previous AP versions. For selecting shared secret and replying to RADIUS requests, the source IP address in the UDP/IP packet is used.

Mark

0 Kudos