Re: Failure authenticate using IPv6

Thu, 23 May 2013 21:24:18 -0700 

Hi,
it's a very bad idea to use link-local addresses. You should use a global or ULA address instead. 


I don't *know* why this doesn't work, but it does with our global-scope 
addresses just fine, so I'm guessing it's the address type.



Especially since link-local addresses are only valid with an interface 
scope. So


"fe80::215:17ff:fed0:d278"

simply isn't an IPv6 address.

"fe80::215:17ff:fed0:d278%eth0"


is the valid address. I don't know if the FreeRADIUS address parser is 
prepared to handle such interface-scoped addresses. There's not much use 
case for this.


Greetings,

Stefan Winter

Am 23.05.13 16:11, schrieb Michael Sherman:

what does this do...

client fe80::215:17ff:fed0:d278 {
                secret = test
                shortname = test-net
                nastype = other
}

... ?

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

Same :(


radiusd: #### Loading Clients ####
  client 127.0.0.1 {
         require_message_authenticator = no
         secret = "testing123"
         shortname = "localhost"
         nastype = "other"
  }
  client 10.10.0.0/16 {
         require_message_authenticator = no
         secret = "bigsecret"
         shortname = "test-net"
  }
  client fe80::215:17ff:fed0:d278 {
         require_message_authenticator = no
         secret = "bigsecret"
         shortname = "test-net"
         nastype = "other"
  }
...
radiusd: #### Opening IP addresses and Ports ####
listen {
         type = "auth"
         ipv6addr = :: IPv6 address [::]
         port = 0
}
listen {
         type = "acct"
         ipv6addr = :: IPv6 address [::]
         port = 0
}
listen {
         type = "control"
  listen {
         socket = "/usr/local/var/run/radiusd/radiusd.sock"
  }
}
listen {
         type = "auth"
         ipaddr = 127.0.0.1
         port = 18120
}
  ... adding new socket proxy address * port 54225
Listening on authentication address :: port 1812
Listening on accounting address :: port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address :: port 1814
Ready to process requests.
Ignoring request to authentication address :: port 1812 from unknown
client fe80::215:17ff:fed0:d278 port 48848
Ready to process requests.
Ignoring request to authentication address :: port 1812 from unknown
client fe80::215:17ff:fed0:d278 port 48848
Ready to process requests.
Ignoring request to authentication address :: port 1812 from unknown
client fe80::215:17ff:fed0:d278 port 48848
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to