A simple proxy for the RADIUS protocol
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
Kilobyte22 6a9486c75c Improve documentation in example configuration. 6 months ago
radius-types Initial Commit, working prototype 2 years ago
src Add README and make it actually do what it's supposed to dAdd README and make it actually do what it's supposed to do 2 years ago
.gitignore Initial Commit, working prototype 2 years ago
Cargo.lock Add README and make it actually do what it's supposed to dAdd README and make it actually do what it's supposed to do 2 years ago
Cargo.toml Add README and make it actually do what it's supposed to dAdd README and make it actually do what it's supposed to do 2 years ago
README.md Update readme 2 years ago
config.example.toml Improve documentation in example configuration. 6 months ago

README.md

Simple RADIUS Proxy

Why?

I have a scenario where i want to grab some attributes from a radius connection between a Wireless Access Point and the actual Radius Server. This is a highly specialized proxy to do exactly that. Might get more features (realm routing, load balancing, etc) in the future, but not right now. Eventually i'll pull out the implementation of the radius protocol into a separate crate. But thats further on the roadmap.

Features

  • Forwards Radius requests to another radius server - reencrypting everything with the correct secret
  • Allows for hooks to be called. Those hooks will get all known radius attributes passed as environment variables. Hooks run in the background, so the forwarding doesn't wait on the hook to terminate

Building

cargo build --release

Running

Rename config.example.toml to config.toml and adjust whatever you need. Put file in working directory. Then just run the binary. Yes, this is still very crude. Expect improvement.

Caveats

  • No checks of any authenticators yet. Depending on what you do you'll be susceptible to packet forging attacks. Then again RADIUS security is a joke anyways. Use IPsec.
  • Not all specified attributes are known to the proxy. Unknown attributes will not be reencrypted (as not all attributes are encrypted in the first place) - so you might have to write a custom vendor specification
  • No resending of lost messages, and local state purging yet
  • Parser too forgiving on wrong length bytes. Currently ignores them and attempts to parse anyways, should throw an error
  • No proper error handling