Re: Failure authenticate using IPv6
On 05/24/2013 05:18 AM, Stefan Winter wrote: simply isn't an IPv6 address Very true. fe80::215:17ff:fed0:d278%eth0 is the valid address. I don't know if the FreeRADIUS address parser is prepared to handle such interface-scoped addresses. There's not much use case for this. Not sure I could agree with that; I can think of a bunch of use-cases for LL. In particular, a nice property of LL is that you know the request definitely came from the same link, which could be useful in some proxying scenarios e.g. 2-level ORPS hierarchy. But you're right that in general, using a global address makes more sense. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Failure authenticate using IPv6
Using global IPV6 addresses worked. Thanks for the help. Mike -Original Message- From: freeradius-users- bounces+michael.sherman=exfo@lists.freeradius.org [mailto:freeradius-users- bounces+michael.sherman=exfo@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, May 24, 2013 9:57 AM To: FreeRadius users mailing list Subject: Re: Failure authenticate using IPv6 Stefan Winter wrote: I don't *know* why this doesn't work, but it does with our global- scope addresses just fine, so I'm guessing it's the address type. Especially since link-local addresses are only valid with an interface scope. Exactly. is the valid address. I don't know if the FreeRADIUS address parser is prepared to handle such interface-scoped addresses. There's not much use case for this. FreeRADIUS calls getaddrinfo, which *should* parse link-local addresses. I guess... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Failure authenticate using IPv6
what does this do...
client fe80::215:17ff:fed0:d278 {
secret = test
shortname = test-net
nastype = other
}
... ?
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Same :(
radiusd: Loading Clients
client 127.0.0.1 {
require_message_authenticator = no
secret = testing123
shortname = localhost
nastype = other
}
client 10.10.0.0/16 {
require_message_authenticator = no
secret = bigsecret
shortname = test-net
}
client fe80::215:17ff:fed0:d278 {
require_message_authenticator = no
secret = bigsecret
shortname = test-net
nastype = other
}
...
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipv6addr = :: IPv6 address [::]
port = 0
}
listen {
type = acct
ipv6addr = :: IPv6 address [::]
port = 0
}
listen {
type = control
listen {
socket = /usr/local/var/run/radiusd/radiusd.sock
}
}
listen {
type = auth
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 54225
Listening on authentication address :: port 1812
Listening on accounting address :: port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address :: port 1814
Ready to process requests.
Ignoring request to authentication address :: port 1812 from unknown
client fe80::215:17ff:fed0:d278 port 48848
Ready to process requests.
Ignoring request to authentication address :: port 1812 from unknown
client fe80::215:17ff:fed0:d278 port 48848
Ready to process requests.
Ignoring request to authentication address :: port 1812 from unknown
client fe80::215:17ff:fed0:d278 port 48848
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure authenticate using IPv6
Hi,
it's a very bad idea to use link-local addresses. You should use a
global or ULA address instead.
I don't *know* why this doesn't work, but it does with our global-scope
addresses just fine, so I'm guessing it's the address type.
Especially since link-local addresses are only valid with an interface
scope. So
fe80::215:17ff:fed0:d278
simply isn't an IPv6 address.
fe80::215:17ff:fed0:d278%eth0
is the valid address. I don't know if the FreeRADIUS address parser is
prepared to handle such interface-scoped addresses. There's not much use
case for this.
Greetings,
Stefan Winter
Am 23.05.13 16:11, schrieb Michael Sherman:
what does this do...
client fe80::215:17ff:fed0:d278 {
secret = test
shortname = test-net
nastype = other
}
... ?
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Same :(
radiusd: Loading Clients
client 127.0.0.1 {
require_message_authenticator = no
secret = testing123
shortname = localhost
nastype = other
}
client 10.10.0.0/16 {
require_message_authenticator = no
secret = bigsecret
shortname = test-net
}
client fe80::215:17ff:fed0:d278 {
require_message_authenticator = no
secret = bigsecret
shortname = test-net
nastype = other
}
...
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipv6addr = :: IPv6 address [::]
port = 0
}
listen {
type = acct
ipv6addr = :: IPv6 address [::]
port = 0
}
listen {
type = control
listen {
socket = /usr/local/var/run/radiusd/radiusd.sock
}
}
listen {
type = auth
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 54225
Listening on authentication address :: port 1812
Listening on accounting address :: port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address :: port 1814
Ready to process requests.
Ignoring request to authentication address :: port 1812 from unknown
client fe80::215:17ff:fed0:d278 port 48848
Ready to process requests.
Ignoring request to authentication address :: port 1812 from unknown
client fe80::215:17ff:fed0:d278 port 48848
Ready to process requests.
Ignoring request to authentication address :: port 1812 from unknown
client fe80::215:17ff:fed0:d278 port 48848
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failure authenticate using IPv6
HI All,
I'm testing freeradius server version 2.2.0. Worked fine using IPv4.
When I switched to IPv6 I got the following error:
Ignoring request to authentication address :: port 1812 from unknown
client fe80::215:17ff:fed0:d278 port 41189
Here is the entry from the clients.conf:
client goya {
ipv6addr= fe80::215:17ff:fed0:d278
# netmask = 128
secret = test
shortname = test-net
}
Radtest command used with output:
radtest -6 test test fe80::21b:78ff:fe40:1de1 0 test
Sending Access-Request of id 143 to fe80::21b:78ff:fe40:1de1 port 1812
User-Name = test
User-Password = test
NAS-IPv6-Address = ::1
NAS-Port = 0
Message-Authenticator = 0x
Tcpdump on server:
[root@jackass ~]# tcpdump -i eth0 host fe80::21b:78ff:fe40:1de1
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
16:40:27.693362 fe80::21b:78ff:fe40:1de1 fe80::215:17ff:fed0:d278:
icmp6: neighbor adv: tgt is fe80::21b:78ff:fe40:1de1
16:40:27.693704 fe80::215:17ff:fed0:d278.48743
fe80::21b:78ff:fe40:1de1.radius: RADIUS, Access Request (1), id: 0x20
length: 86
16:40:32.692677 fe80::21b:78ff:fe40:1de1 fe80::215:17ff:fed0:d278:
icmp6: neighbor sol: who has fe80::215:17ff:fed0:d278
16:40:32.694009 fe80::215:17ff:fed0:d278 fe80::21b:78ff:fe40:1de1:
icmp6: neighbor adv: tgt is fe80::215:17ff:fed0:d278
16:40:32.697159 fe80::215:17ff:fed0:d278.48743
fe80::21b:78ff:fe40:1de1.radius: RADIUS, Access Request (1), id: 0x20
length: 86
16:40:37.702304 fe80::215:17ff:fed0:d278.48743
fe80::21b:78ff:fe40:1de1.radius: RADIUS, Access Request (1), id: 0x20
length: 86
Ifconfig on server:
[root@jackass ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:1B:78:40:1D:E1
inet addr:10.10.20.208 Bcast:10.10.20.255 Mask:255.255.255.0
inet6 addr: fe80::21b:78ff:fe40:1de1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11032790 errors:0 dropped:0 overruns:0 frame:0
TX packets:282990 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2421527725 (2.2 GiB) TX bytes:116875391 (111.4 MiB)
Interrupt:209
Here is the related logs from radius -X:
radiusd: Loading Clients
client 127.0.0.1 {
require_message_authenticator = no
secret = testing123
shortname = localhost
nastype = other
}
client 10.10.0.0/16 {
require_message_authenticator = no
secret = test
shortname = test-net
}
client goya {
ipv6addr = fe80::215:17ff:fed0:d278 IPv6 address
[fe80::215:17ff:fed0:d278]
require_message_authenticator = no
secret = test
shortname = test-net
}
...
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipv6addr = :: IPv6 address [::]
port = 0
}
listen {
type = acct
ipv6addr = :: IPv6 address [::]
port = 0
}
listen {
type = control
listen {
socket = /usr/local/var/run/radiusd/radiusd.sock
}
}
listen {
type = auth
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 53193
Listening on authentication address :: port 1812
Listening on accounting address :: port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address :: port 1814
Ready to process requests.
Ignoring request to authentication address :: port 1812 from unknown
client fe80::215:17ff:fed0:d278 port 43140
Ready to process requests.
Ignoring request to authentication address :: port 1812 from unknown
client fe80::215:17ff:fed0:d278 port 43140
Ready to process requests.
Ignoring request to authentication address :: port 1812 from unknown
client fe80::215:17ff:fed0:d278 port 43140
Thanks in advance,
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure authenticate using IPv6
Hi,
Here is the entry from the clients.conf:
client goya {
ipv6addr= fe80::215:17ff:fed0:d278
# netmask = 128
secret = test
shortname = test-net
}
what does this do...
client fe80::215:17ff:fed0:d278 {
secret = test
shortname = test-net
nastype = other
}
... ?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
