RE: Failure authenticate using IPv6
Using global IPV6 addresses worked. Thanks for the help. Mike > -Original Message- > From: freeradius-users- > bounces+michael.sherman=exfo@lists.freeradius.org > [mailto:freeradius-users- > bounces+michael.sherman=exfo@lists.freeradius.org] On Behalf Of > Alan DeKok > Sent: Friday, May 24, 2013 9:57 AM > To: FreeRadius users mailing list > Subject: Re: Failure authenticate using IPv6 > > Stefan Winter wrote: > > I don't *know* why this doesn't work, but it does with our global- > scope > > addresses just fine, so I'm guessing it's the address type. > > > > Especially since link-local addresses are only valid with an > interface > > scope. > > Exactly. > > > is the valid address. I don't know if the FreeRADIUS address parser > is > > prepared to handle such interface-scoped addresses. There's not much > use > > case for this. > > FreeRADIUS calls getaddrinfo, which *should* parse link-local > addresses. I guess... > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure authenticate using IPv6
Stefan Winter wrote: > I don't *know* why this doesn't work, but it does with our global-scope > addresses just fine, so I'm guessing it's the address type. > > Especially since link-local addresses are only valid with an interface > scope. Exactly. > is the valid address. I don't know if the FreeRADIUS address parser is > prepared to handle such interface-scoped addresses. There's not much use > case for this. FreeRADIUS calls getaddrinfo, which *should* parse link-local addresses. I guess... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure authenticate using IPv6
On 05/24/2013 05:18 AM, Stefan Winter wrote: simply isn't an IPv6 address Very true. "fe80::215:17ff:fed0:d278%eth0" is the valid address. I don't know if the FreeRADIUS address parser is prepared to handle such interface-scoped addresses. There's not much use case for this. Not sure I could agree with that; I can think of a bunch of use-cases for LL. In particular, a nice property of LL is that you know the request definitely came from the same link, which could be useful in some proxying scenarios e.g. 2-level ORPS hierarchy. But you're right that in general, using a global address makes more sense. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure authenticate using IPv6
Hi, it's a very bad idea to use link-local addresses. You should use a global or ULA address instead. I don't *know* why this doesn't work, but it does with our global-scope addresses just fine, so I'm guessing it's the address type. Especially since link-local addresses are only valid with an interface scope. So "fe80::215:17ff:fed0:d278" simply isn't an IPv6 address. "fe80::215:17ff:fed0:d278%eth0" is the valid address. I don't know if the FreeRADIUS address parser is prepared to handle such interface-scoped addresses. There's not much use case for this. Greetings, Stefan Winter Am 23.05.13 16:11, schrieb Michael Sherman: what does this do... client fe80::215:17ff:fed0:d278 { secret = test shortname = test-net nastype = other } ... ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Same :( radiusd: Loading Clients client 127.0.0.1 { require_message_authenticator = no secret = "testing123" shortname = "localhost" nastype = "other" } client 10.10.0.0/16 { require_message_authenticator = no secret = "bigsecret" shortname = "test-net" } client fe80::215:17ff:fed0:d278 { require_message_authenticator = no secret = "bigsecret" shortname = "test-net" nastype = "other" } ... radiusd: Opening IP addresses and Ports listen { type = "auth" ipv6addr = :: IPv6 address [::] port = 0 } listen { type = "acct" ipv6addr = :: IPv6 address [::] port = 0 } listen { type = "control" listen { socket = "/usr/local/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 54225 Listening on authentication address :: port 1812 Listening on accounting address :: port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address :: port 1814 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 48848 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 48848 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 48848 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Failure authenticate using IPv6
> what does this do... > > client fe80::215:17ff:fed0:d278 { > secret = test > shortname = test-net > nastype = other > } > > ... ? > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html Same :( radiusd: Loading Clients client 127.0.0.1 { require_message_authenticator = no secret = "testing123" shortname = "localhost" nastype = "other" } client 10.10.0.0/16 { require_message_authenticator = no secret = "bigsecret" shortname = "test-net" } client fe80::215:17ff:fed0:d278 { require_message_authenticator = no secret = "bigsecret" shortname = "test-net" nastype = "other" } ... radiusd: Opening IP addresses and Ports listen { type = "auth" ipv6addr = :: IPv6 address [::] port = 0 } listen { type = "acct" ipv6addr = :: IPv6 address [::] port = 0 } listen { type = "control" listen { socket = "/usr/local/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 54225 Listening on authentication address :: port 1812 Listening on accounting address :: port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address :: port 1814 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 48848 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 48848 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 48848 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure authenticate using IPv6
Hi, >Here is the entry from the clients.conf: > >client goya { > > ipv6addr= fe80::215:17ff:fed0:d278 > ># netmask = 128 > > secret = test > > shortname = test-net > >} what does this do... client fe80::215:17ff:fed0:d278 { secret = test shortname = test-net nastype = other } ... ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failure authenticate using IPv6
HI All, I'm testing freeradius server version 2.2.0. Worked fine using IPv4. When I switched to IPv6 I got the following error: Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 41189 Here is the entry from the clients.conf: client goya { ipv6addr= fe80::215:17ff:fed0:d278 # netmask = 128 secret = test shortname = test-net } Radtest command used with output: radtest -6 test test fe80::21b:78ff:fe40:1de1 0 test Sending Access-Request of id 143 to fe80::21b:78ff:fe40:1de1 port 1812 User-Name = "test" User-Password = "test" NAS-IPv6-Address = ::1 NAS-Port = 0 Message-Authenticator = 0x Tcpdump on server: [root@jackass ~]# tcpdump -i eth0 host fe80::21b:78ff:fe40:1de1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 16:40:27.693362 fe80::21b:78ff:fe40:1de1 > fe80::215:17ff:fed0:d278: icmp6: neighbor adv: tgt is fe80::21b:78ff:fe40:1de1 16:40:27.693704 fe80::215:17ff:fed0:d278.48743 > fe80::21b:78ff:fe40:1de1.radius: RADIUS, Access Request (1), id: 0x20 length: 86 16:40:32.692677 fe80::21b:78ff:fe40:1de1 > fe80::215:17ff:fed0:d278: icmp6: neighbor sol: who has fe80::215:17ff:fed0:d278 16:40:32.694009 fe80::215:17ff:fed0:d278 > fe80::21b:78ff:fe40:1de1: icmp6: neighbor adv: tgt is fe80::215:17ff:fed0:d278 16:40:32.697159 fe80::215:17ff:fed0:d278.48743 > fe80::21b:78ff:fe40:1de1.radius: RADIUS, Access Request (1), id: 0x20 length: 86 16:40:37.702304 fe80::215:17ff:fed0:d278.48743 > fe80::21b:78ff:fe40:1de1.radius: RADIUS, Access Request (1), id: 0x20 length: 86 Ifconfig on server: [root@jackass ~]# ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:1B:78:40:1D:E1 inet addr:10.10.20.208 Bcast:10.10.20.255 Mask:255.255.255.0 inet6 addr: fe80::21b:78ff:fe40:1de1/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:11032790 errors:0 dropped:0 overruns:0 frame:0 TX packets:282990 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2421527725 (2.2 GiB) TX bytes:116875391 (111.4 MiB) Interrupt:209 Here is the related logs from radius -X: radiusd: Loading Clients client 127.0.0.1 { require_message_authenticator = no secret = "testing123" shortname = "localhost" nastype = "other" } client 10.10.0.0/16 { require_message_authenticator = no secret = "test" shortname = "test-net" } client goya { ipv6addr = fe80::215:17ff:fed0:d278 IPv6 address [fe80::215:17ff:fed0:d278] require_message_authenticator = no secret = "test" shortname = "test-net" } ... radiusd: Opening IP addresses and Ports listen { type = "auth" ipv6addr = :: IPv6 address [::] port = 0 } listen { type = "acct" ipv6addr = :: IPv6 address [::] port = 0 } listen { type = "control" listen { socket = "/usr/local/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 53193 Listening on authentication address :: port 1812 Listening on accounting address :: port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address :: port 1814 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 43140 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 43140 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 43140 Thanks in advance, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html