Re: [RADIATOR] BindAddress question
On 14/06/2011 15:21, Heikki Vatiainen wrote: Linux also has this special file to control the system wide behaviour: /proc/sys/net/ipv6/bindv6only If I do this to enable the option: echo 1 |sudo tee /proc/sys/net/ipv6/bindv6only the same configuration works: BindAddress ipv6:::, 0.0.0.0 Works for me too! Thanks :-) -- Dyonisius Visser System Networking Engineer TERENA Secretariat Singel 468 D, 1017 AW Amsterdam The Netherlands T +31 20 530 44 88 F +31 20 530 44 99 vis...@terena.org | www.terena.org smime.p7s Description: S/MIME Cryptographic Signature ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] BindAddress question
Does this mean that we can't bind to IPv4 and IPv6 separately on Linux to not get v6 mapped v4 addresses? Am 2011-06-09 19:50, schrieb Heikki Vatiainen: On 06/09/2011 05:37 PM, Dyonisius Visser wrote: Well, I installed a second instance on a dual stack host, and I tested various combinations: Thanks for the summary. BindAddress 192.87.30.31,ipv6:2001:610:148:dead::31 I.e. hardcoded addresses - this works, both IPv4 and IPv6 clients work BindAddress ipv6::: IPv4 blocked (NOTICE: Request from unknown client 192.87.30.32: ignored) This should work if you specify your client like this: Client ipv6::::192.87.30.32 Since the request arrived over IPv4 but was delivered to the application by IPv6 wildcard socket, the IPv4 address is presented as an IPv6 address. See http://tools.ietf.org/html/rfc4291#section-2.5.5 section 2.5.5.2. IPv4-Mapped IPv6 Address. The purpose of this mapping is to let the application to know was the message received over IPv6 or IPv4 since the socket can handle both protocols. BindAddress 0.0.0.0 This is the default. IPv4 clients work. IPv6 clients DO NOT work, and worse, nothing is logged by radiator, no request from unknown client 2001:610:blah:blah BindAddress ipv6:::,0.0.0.0 Startup gives some errors, and only IPv6 works: Thu Jun 9 16:25:54 2011: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg' Thu Jun 9 16:25:54 2011: DEBUG: Reading dictionary file '/etc/radiator/db/dictionary' Thu Jun 9 16:25:54 2011: DEBUG: Creating authentication port ipv61812 Thu Jun 9 16:25:54 2011: DEBUG: Creating accounting port ipv61813 Thu Jun 9 16:25:54 2011: DEBUG: Creating authentication port 0.0.0.0:1812 Thu Jun 9 16:25:54 2011: ERR: Could not bind authentication socket: Address already in use Thu Jun 9 16:25:54 2011: DEBUG: Creating accounting port 0.0.0.0:1813 Thu Jun 9 16:25:54 2011: ERR: Could not bind accounting socket: Address already in use Thu Jun 9 16:25:54 2011: NOTICE: Server started: Radiator 4.8 on radius Thu Jun 9 16:25:55 2011: NOTICE: Request from unknown client 145.100.98.42: ignored BindAddress 0.0.0.0,ipv6::: Also some errors, only IPv4 works, and also nothing logged when an IPv6 client connects: Thu Jun 9 16:27:42 2011: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg' Thu Jun 9 16:27:42 2011: DEBUG: Reading dictionary file '/etc/radiator/db/dictionary' Thu Jun 9 16:27:42 2011: DEBUG: Creating authentication port 0.0.0.0:1812 Thu Jun 9 16:27:42 2011: DEBUG: Creating accounting port 0.0.0.0:1813 Thu Jun 9 16:27:42 2011: DEBUG: Creating authentication port ipv61812 Thu Jun 9 16:27:42 2011: ERR: Could not bind authentication socket: Address already in use Thu Jun 9 16:27:42 2011: DEBUG: Creating accounting port ipv61813 Thu Jun 9 16:27:42 2011: ERR: Could not bind accounting socket: Address already in use Thu Jun 9 16:27:42 2011: NOTICE: Server started: Radiator 4.8 on radius So the only way I can radiator to accept requests from both protocols, is to hardcode the interface addresses. Would it be possible to have radiator listen to 4+6 without hard coding? I think that option (whatever it looks like) should be the default. If possible, can the behavior of the current default ('BindAddress 0.0.0.0') be changed so that it actually logs ignored incoming requests? I've spend quite some time figuring out what is going on, and only tcpdump revealed that requests are actually reaching my box. Thanks :-) *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] BindAddress question
On 06/14/2011 11:45 AM, Alexander Hartmaier wrote: Does this mean that we can't bind to IPv4 and IPv6 separately on Linux to not get v6 mapped v4 addresses? I think the mapped addresses are only seen when a wildcard IPv6 bind is done. If you bind to a non-wildcard IPv4 or IPv6 address, you should only see traffic that arrived over IPv4 or IPv6, respectively. To control the mapped addresses, there is IPV6_V6ONLY socket option, see http://tools.ietf.org/html/rfc3493#section-5.3 for more Linux also has this special file to control the system wide behaviour: /proc/sys/net/ipv6/bindv6only By default this seems to be 0. When it is 0, this will not work: BindAddress ipv6:::, 0.0.0.0 The result in logs is this: Tue Jun 14 16:15:07 2011: DEBUG: Creating authentication port ipv61645 Tue Jun 14 16:15:07 2011: DEBUG: Creating accounting port ipv61646 Tue Jun 14 16:15:07 2011: DEBUG: Creating authentication port 0.0.0.0:1645 Tue Jun 14 16:15:07 2011: ERR: Could not bind authentication socket: Address already in use Tue Jun 14 16:15:07 2011: DEBUG: Creating accounting port 0.0.0.0:1646 Tue Jun 14 16:15:07 2011: ERR: Could not bind accounting socket: Address already in use If I do this to enable the option: echo 1 |sudo tee /proc/sys/net/ipv6/bindv6only the same configuration works: BindAddress ipv6:::, 0.0.0.0 Tue Jun 14 16:16:20 2011: DEBUG: Creating authentication port ipv61645 Tue Jun 14 16:16:20 2011: DEBUG: Creating accounting port ipv61646 Tue Jun 14 16:16:20 2011: DEBUG: Creating authentication port 0.0.0.0:1645 Tue Jun 14 16:16:20 2011: DEBUG: Creating accounting port 0.0.0.0:1646 When I used radpwtst to send requests to ipv6:::1 or 127.0.0.1 these Client clauses were matched, respectively: Client ipv6:::1 Identifier ipv6-loopback Secret mysecret DupInterval 0 /Client Client 127.0.0.1 Identifier ipv4-loopback Secret mysecret DupInterval 0 /Client # Use this to check which Client clause matched Handler AuthBy FILE Filename%D/users-%{Client:Identifier} /AuthBy /Handler This may be useful for controlling IPv6 behaviour. Thanks! Heikki Am 2011-06-09 19:50, schrieb Heikki Vatiainen: On 06/09/2011 05:37 PM, Dyonisius Visser wrote: Well, I installed a second instance on a dual stack host, and I tested various combinations: Thanks for the summary. BindAddress 192.87.30.31,ipv6:2001:610:148:dead::31 I.e. hardcoded addresses - this works, both IPv4 and IPv6 clients work BindAddress ipv6::: IPv4 blocked (NOTICE: Request from unknown client 192.87.30.32: ignored) This should work if you specify your client like this: Client ipv6::::192.87.30.32 Since the request arrived over IPv4 but was delivered to the application by IPv6 wildcard socket, the IPv4 address is presented as an IPv6 address. See http://tools.ietf.org/html/rfc4291#section-2.5.5 section 2.5.5.2. IPv4-Mapped IPv6 Address. The purpose of this mapping is to let the application to know was the message received over IPv6 or IPv4 since the socket can handle both protocols. BindAddress 0.0.0.0 This is the default. IPv4 clients work. IPv6 clients DO NOT work, and worse, nothing is logged by radiator, no request from unknown client 2001:610:blah:blah BindAddress ipv6:::,0.0.0.0 Startup gives some errors, and only IPv6 works: Thu Jun 9 16:25:54 2011: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg' Thu Jun 9 16:25:54 2011: DEBUG: Reading dictionary file '/etc/radiator/db/dictionary' Thu Jun 9 16:25:54 2011: DEBUG: Creating authentication port ipv61812 Thu Jun 9 16:25:54 2011: DEBUG: Creating accounting port ipv61813 Thu Jun 9 16:25:54 2011: DEBUG: Creating authentication port 0.0.0.0:1812 Thu Jun 9 16:25:54 2011: ERR: Could not bind authentication socket: Address already in use Thu Jun 9 16:25:54 2011: DEBUG: Creating accounting port 0.0.0.0:1813 Thu Jun 9 16:25:54 2011: ERR: Could not bind accounting socket: Address already in use Thu Jun 9 16:25:54 2011: NOTICE: Server started: Radiator 4.8 on radius Thu Jun 9 16:25:55 2011: NOTICE: Request from unknown client 145.100.98.42: ignored BindAddress 0.0.0.0,ipv6::: Also some errors, only IPv4 works, and also nothing logged when an IPv6 client connects: Thu Jun 9 16:27:42 2011: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg' Thu Jun 9 16:27:42 2011: DEBUG: Reading dictionary file '/etc/radiator/db/dictionary' Thu Jun 9 16:27:42 2011: DEBUG: Creating authentication port 0.0.0.0:1812 Thu Jun 9 16:27:42 2011: DEBUG: Creating accounting port 0.0.0.0:1813 Thu Jun 9 16:27:42 2011: DEBUG: Creating authentication port ipv61812 Thu Jun 9 16:27:42 2011: ERR: Could not bind authentication socket: Address already in use Thu Jun 9 16:27:42 2011: DEBUG: Creating accounting port ipv61813 Thu Jun 9 16:27:42 2011: ERR: Could not bind accounting socket:
Re: [RADIATOR] BindAddress question
Hi, Could it be the same as other apps, '::' ? I have now configured the hard coded addresses as a work aroudn. goodies/ipv6.cfg BindAddress ipv6::: (this is basically saying, use ipv6: and bind to :: - like other daemons do) please note that you must use ipv6: as the prefix to hostnames to use the IPv6 address or it will use ipv4 by default alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] BindAddress question
On 09/06/2011 12:48, Alan Buxey wrote: Hi, Could it be the same as other apps, '::' ? I have now configured the hard coded addresses as a work aroudn. goodies/ipv6.cfg BindAddress ipv6::: (this is basically saying, use ipv6: and bind to :: - like other daemons do) So this should make it listen for all IPv4 and IPv6: BindAddress 0.0.0.0,ipv6::: I heard that this might caused problems with Linux kernels? -- Dyonisius Visser System Networking Engineer TERENA Secretariat Singel 468 D, 1017 AW Amsterdam The Netherlands T +31 20 530 44 88 F +31 20 530 44 99 vis...@terena.org | www.terena.org smime.p7s Description: S/MIME Cryptographic Signature ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] BindAddress question
Hi, So this should make it listen for all IPv4 and IPv6: BindAddress 0.0.0.0,ipv6::: on Solaris thats certainly true I heard that this might caused problems with Linux kernels? BindAddress 0.0.0.0 BindAddress ipv6::: that works on the few Linux boxes that I've tested alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] BindAddress question
On 06/09/2011 01:56 PM, Dyonisius Visser wrote: On 09/06/2011 12:48, Alan Buxey wrote: Hi, Could it be the same as other apps, '::' ? I have now configured the hard coded addresses as a work aroudn. goodies/ipv6.cfg BindAddress ipv6::: (this is basically saying, use ipv6: and bind to :: - like other daemons do) So this should make it listen for all IPv4 and IPv6: BindAddress 0.0.0.0,ipv6::: Try BindAddress ipv6::: At least on my Linux box, kernel 2.6.34, binding to :: covers both IPv4 and IPv6. If I specify both, IPv6 binding fails apparently because it tries to bind IPv4 again and since that's not possible anymore, it will not bind IPv6 either. I heard that this might caused problems with Linux kernels? I do not know about problems, but if I remember correctly there has been confusion about one socket serving both protocols. Just noticed Alan's message, too: BindAddress 0.0.0.0 BindAddress ipv6::: is the same as BindAddress ipv6::: If these are reversed: BindAddress ipv6::: BindAddress 0.0.0.0 the net effect is the same as: BindAddress 0.0.0.0 In other words, BindAddress should be specified only once with all addresses as a parameter value. -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] BindAddress question
Hi, BindAddress 0.0.0.0,ipv6::: its horribly broken on Linux isnt it? on Solaris this works fine in this incantation. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] BindAddress question
On 06/09/2011 03:03 PM, Alan Buxey wrote: BindAddress 0.0.0.0,ipv6::: its horribly broken on Linux isnt it? on Solaris this works fine in this incantation. Heh, I guess it can be said its broken, or this is just one posibility to do it. For those who are interested, see for example http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man4/inet6.4.html and search for Interaction between IPv4/v6 sockets There's also the mention about IPv4 mapped addresses, which is another nice thing about IPv6 and IPv4 interaction. -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] BindAddress question
Well, I installed a second instance on a dual stack host, and I tested various combinations: BindAddress 192.87.30.31,ipv6:2001:610:148:dead::31 I.e. hardcoded addresses - this works, both IPv4 and IPv6 clients work BindAddress ipv6::: IPv4 blocked (NOTICE: Request from unknown client 192.87.30.32: ignored) BindAddress 0.0.0.0 This is the default. IPv4 clients work. IPv6 clients DO NOT work, and worse, nothing is logged by radiator, no request from unknown client 2001:610:blah:blah BindAddress ipv6:::,0.0.0.0 Startup gives some errors, and only IPv6 works: Thu Jun 9 16:25:54 2011: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg' Thu Jun 9 16:25:54 2011: DEBUG: Reading dictionary file '/etc/radiator/db/dictionary' Thu Jun 9 16:25:54 2011: DEBUG: Creating authentication port ipv61812 Thu Jun 9 16:25:54 2011: DEBUG: Creating accounting port ipv61813 Thu Jun 9 16:25:54 2011: DEBUG: Creating authentication port 0.0.0.0:1812 Thu Jun 9 16:25:54 2011: ERR: Could not bind authentication socket: Address already in use Thu Jun 9 16:25:54 2011: DEBUG: Creating accounting port 0.0.0.0:1813 Thu Jun 9 16:25:54 2011: ERR: Could not bind accounting socket: Address already in use Thu Jun 9 16:25:54 2011: NOTICE: Server started: Radiator 4.8 on radius Thu Jun 9 16:25:55 2011: NOTICE: Request from unknown client 145.100.98.42: ignored BindAddress 0.0.0.0,ipv6::: Also some errors, only IPv4 works, and also nothing logged when an IPv6 client connects: Thu Jun 9 16:27:42 2011: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg' Thu Jun 9 16:27:42 2011: DEBUG: Reading dictionary file '/etc/radiator/db/dictionary' Thu Jun 9 16:27:42 2011: DEBUG: Creating authentication port 0.0.0.0:1812 Thu Jun 9 16:27:42 2011: DEBUG: Creating accounting port 0.0.0.0:1813 Thu Jun 9 16:27:42 2011: DEBUG: Creating authentication port ipv61812 Thu Jun 9 16:27:42 2011: ERR: Could not bind authentication socket: Address already in use Thu Jun 9 16:27:42 2011: DEBUG: Creating accounting port ipv61813 Thu Jun 9 16:27:42 2011: ERR: Could not bind accounting socket: Address already in use Thu Jun 9 16:27:42 2011: NOTICE: Server started: Radiator 4.8 on radius So the only way I can radiator to accept requests from both protocols, is to hardcode the interface addresses. Would it be possible to have radiator listen to 4+6 without hard coding? I think that option (whatever it looks like) should be the default. If possible, can the behavior of the current default ('BindAddress 0.0.0.0') be changed so that it actually logs ignored incoming requests? I've spend quite some time figuring out what is going on, and only tcpdump revealed that requests are actually reaching my box. Thanks :-) -- Dyonisius Visser System Networking Engineer TERENA Secretariat Singel 468 D, 1017 AW Amsterdam The Netherlands T +31 20 530 44 88 F +31 20 530 44 99 vis...@terena.org | www.terena.org ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] BindAddress question
hi, I can confirm exactly the same behaviour on Linux boxes here. hardcoded is the only way to have both working. Solaris can have both on single line and it works. a nice patch for 4.8 to arrive? :-) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] BindAddress question
On 06/09/2011 05:37 PM, Dyonisius Visser wrote: Well, I installed a second instance on a dual stack host, and I tested various combinations: Thanks for the summary. BindAddress 192.87.30.31,ipv6:2001:610:148:dead::31 I.e. hardcoded addresses - this works, both IPv4 and IPv6 clients work BindAddress ipv6::: IPv4 blocked (NOTICE: Request from unknown client 192.87.30.32: ignored) This should work if you specify your client like this: Client ipv6::::192.87.30.32 Since the request arrived over IPv4 but was delivered to the application by IPv6 wildcard socket, the IPv4 address is presented as an IPv6 address. See http://tools.ietf.org/html/rfc4291#section-2.5.5 section 2.5.5.2. IPv4-Mapped IPv6 Address. The purpose of this mapping is to let the application to know was the message received over IPv6 or IPv4 since the socket can handle both protocols. BindAddress 0.0.0.0 This is the default. IPv4 clients work. IPv6 clients DO NOT work, and worse, nothing is logged by radiator, no request from unknown client 2001:610:blah:blah BindAddress ipv6:::,0.0.0.0 Startup gives some errors, and only IPv6 works: Thu Jun 9 16:25:54 2011: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg' Thu Jun 9 16:25:54 2011: DEBUG: Reading dictionary file '/etc/radiator/db/dictionary' Thu Jun 9 16:25:54 2011: DEBUG: Creating authentication port ipv61812 Thu Jun 9 16:25:54 2011: DEBUG: Creating accounting port ipv61813 Thu Jun 9 16:25:54 2011: DEBUG: Creating authentication port 0.0.0.0:1812 Thu Jun 9 16:25:54 2011: ERR: Could not bind authentication socket: Address already in use Thu Jun 9 16:25:54 2011: DEBUG: Creating accounting port 0.0.0.0:1813 Thu Jun 9 16:25:54 2011: ERR: Could not bind accounting socket: Address already in use Thu Jun 9 16:25:54 2011: NOTICE: Server started: Radiator 4.8 on radius Thu Jun 9 16:25:55 2011: NOTICE: Request from unknown client 145.100.98.42: ignored BindAddress 0.0.0.0,ipv6::: Also some errors, only IPv4 works, and also nothing logged when an IPv6 client connects: Thu Jun 9 16:27:42 2011: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg' Thu Jun 9 16:27:42 2011: DEBUG: Reading dictionary file '/etc/radiator/db/dictionary' Thu Jun 9 16:27:42 2011: DEBUG: Creating authentication port 0.0.0.0:1812 Thu Jun 9 16:27:42 2011: DEBUG: Creating accounting port 0.0.0.0:1813 Thu Jun 9 16:27:42 2011: DEBUG: Creating authentication port ipv61812 Thu Jun 9 16:27:42 2011: ERR: Could not bind authentication socket: Address already in use Thu Jun 9 16:27:42 2011: DEBUG: Creating accounting port ipv61813 Thu Jun 9 16:27:42 2011: ERR: Could not bind accounting socket: Address already in use Thu Jun 9 16:27:42 2011: NOTICE: Server started: Radiator 4.8 on radius So the only way I can radiator to accept requests from both protocols, is to hardcode the interface addresses. Would it be possible to have radiator listen to 4+6 without hard coding? I think that option (whatever it looks like) should be the default. If possible, can the behavior of the current default ('BindAddress 0.0.0.0') be changed so that it actually logs ignored incoming requests? I've spend quite some time figuring out what is going on, and only tcpdump revealed that requests are actually reaching my box. Thanks :-) -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: (RADIATOR) BindAddress question
Hello Jason - On Fri, 04 Aug 2000, Jason J. Horton wrote: Is it possible to bind to more than one IP address per installation? No - but it is possible to run multiple copies of Radiator, each on a different IP address and/or port number. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.