From: Alan T. DeKok <aland@freeradius.org>
Date: Mon, 12 Oct 2009 11:17:26 +0000 (+0200)
Subject: Don't use source IP for EAP packets.
X-Git-Tag: release_2_1_8~100
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e468b658949a22e62fec6b601f8f3c8573398950;p=thirdparty%2Ffreeradius-server.git

Don't use source IP for EAP packets.

We control State, so it should be unique, too
---

diff --git a/src/modules/rlm_eap/rlm_eap.c b/src/modules/rlm_eap/rlm_eap.c
index e835607bd73..9b55c262c6b 100644
--- a/src/modules/rlm_eap/rlm_eap.c
+++ b/src/modules/rlm_eap/rlm_eap.c
@@ -84,10 +84,20 @@ static int eap_handler_cmp(const void *a, const void *b)
 	if (one->eap_id < two->eap_id) return -1;
 	if (one->eap_id > two->eap_id) return +1;
 
-	rcode = fr_ipaddr_cmp(&one->src_ipaddr, &two->src_ipaddr);
+	rcode = memcmp(one->state, two->state, sizeof(one->state));
 	if (rcode != 0) return rcode;
 
-	return memcmp(one->state, two->state, sizeof(one->state));
+	/*
+	 *	As of 2.1.8, we don't key off of source IP.  This
+	 *	a NAS to send packets load-balanced (or fail-over)
+	 *	across multiple intermediate proxies, and still have
+	 *	EAP work.
+	 */
+	if (fr_ipaddr_cmp(&one->src_ipaddr, &two->src_ipaddr) != 0) {
+		DEBUG("WARNING: EAP packets are arriving from two different upstream servers.  Has there been a proxy fail-over?")
+	}
+
+	return 0;
 }