Re: Failure authenticate using IPv6
On 05/24/2013 05:18 AM, Stefan Winter wrote: simply isn't an IPv6 address Very true. fe80::215:17ff:fed0:d278%eth0 is the valid address. I don't know if the FreeRADIUS address parser is prepared to handle such interface-scoped addresses. There's not much use case for this. Not sure I could agree with that; I can think of a bunch of use-cases for LL. In particular, a nice property of LL is that you know the request definitely came from the same link, which could be useful in some proxying scenarios e.g. 2-level ORPS hierarchy. But you're right that in general, using a global address makes more sense. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Failure authenticate using IPv6
Using global IPV6 addresses worked. Thanks for the help. Mike -Original Message- From: freeradius-users- bounces+michael.sherman=exfo@lists.freeradius.org [mailto:freeradius-users- bounces+michael.sherman=exfo@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, May 24, 2013 9:57 AM To: FreeRadius users mailing list Subject: Re: Failure authenticate using IPv6 Stefan Winter wrote: I don't *know* why this doesn't work, but it does with our global- scope addresses just fine, so I'm guessing it's the address type. Especially since link-local addresses are only valid with an interface scope. Exactly. is the valid address. I don't know if the FreeRADIUS address parser is prepared to handle such interface-scoped addresses. There's not much use case for this. FreeRADIUS calls getaddrinfo, which *should* parse link-local addresses. I guess... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Failure authenticate using IPv6
what does this do... client fe80::215:17ff:fed0:d278 { secret = test shortname = test-net nastype = other } ... ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Same :( radiusd: Loading Clients client 127.0.0.1 { require_message_authenticator = no secret = testing123 shortname = localhost nastype = other } client 10.10.0.0/16 { require_message_authenticator = no secret = bigsecret shortname = test-net } client fe80::215:17ff:fed0:d278 { require_message_authenticator = no secret = bigsecret shortname = test-net nastype = other } ... radiusd: Opening IP addresses and Ports listen { type = auth ipv6addr = :: IPv6 address [::] port = 0 } listen { type = acct ipv6addr = :: IPv6 address [::] port = 0 } listen { type = control listen { socket = /usr/local/var/run/radiusd/radiusd.sock } } listen { type = auth ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 54225 Listening on authentication address :: port 1812 Listening on accounting address :: port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address :: port 1814 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 48848 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 48848 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 48848 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure authenticate using IPv6
Hi, it's a very bad idea to use link-local addresses. You should use a global or ULA address instead. I don't *know* why this doesn't work, but it does with our global-scope addresses just fine, so I'm guessing it's the address type. Especially since link-local addresses are only valid with an interface scope. So fe80::215:17ff:fed0:d278 simply isn't an IPv6 address. fe80::215:17ff:fed0:d278%eth0 is the valid address. I don't know if the FreeRADIUS address parser is prepared to handle such interface-scoped addresses. There's not much use case for this. Greetings, Stefan Winter Am 23.05.13 16:11, schrieb Michael Sherman: what does this do... client fe80::215:17ff:fed0:d278 { secret = test shortname = test-net nastype = other } ... ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Same :( radiusd: Loading Clients client 127.0.0.1 { require_message_authenticator = no secret = testing123 shortname = localhost nastype = other } client 10.10.0.0/16 { require_message_authenticator = no secret = bigsecret shortname = test-net } client fe80::215:17ff:fed0:d278 { require_message_authenticator = no secret = bigsecret shortname = test-net nastype = other } ... radiusd: Opening IP addresses and Ports listen { type = auth ipv6addr = :: IPv6 address [::] port = 0 } listen { type = acct ipv6addr = :: IPv6 address [::] port = 0 } listen { type = control listen { socket = /usr/local/var/run/radiusd/radiusd.sock } } listen { type = auth ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 54225 Listening on authentication address :: port 1812 Listening on accounting address :: port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address :: port 1814 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 48848 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 48848 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 48848 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failure authenticate using IPv6
HI All, I'm testing freeradius server version 2.2.0. Worked fine using IPv4. When I switched to IPv6 I got the following error: Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 41189 Here is the entry from the clients.conf: client goya { ipv6addr= fe80::215:17ff:fed0:d278 # netmask = 128 secret = test shortname = test-net } Radtest command used with output: radtest -6 test test fe80::21b:78ff:fe40:1de1 0 test Sending Access-Request of id 143 to fe80::21b:78ff:fe40:1de1 port 1812 User-Name = test User-Password = test NAS-IPv6-Address = ::1 NAS-Port = 0 Message-Authenticator = 0x Tcpdump on server: [root@jackass ~]# tcpdump -i eth0 host fe80::21b:78ff:fe40:1de1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 16:40:27.693362 fe80::21b:78ff:fe40:1de1 fe80::215:17ff:fed0:d278: icmp6: neighbor adv: tgt is fe80::21b:78ff:fe40:1de1 16:40:27.693704 fe80::215:17ff:fed0:d278.48743 fe80::21b:78ff:fe40:1de1.radius: RADIUS, Access Request (1), id: 0x20 length: 86 16:40:32.692677 fe80::21b:78ff:fe40:1de1 fe80::215:17ff:fed0:d278: icmp6: neighbor sol: who has fe80::215:17ff:fed0:d278 16:40:32.694009 fe80::215:17ff:fed0:d278 fe80::21b:78ff:fe40:1de1: icmp6: neighbor adv: tgt is fe80::215:17ff:fed0:d278 16:40:32.697159 fe80::215:17ff:fed0:d278.48743 fe80::21b:78ff:fe40:1de1.radius: RADIUS, Access Request (1), id: 0x20 length: 86 16:40:37.702304 fe80::215:17ff:fed0:d278.48743 fe80::21b:78ff:fe40:1de1.radius: RADIUS, Access Request (1), id: 0x20 length: 86 Ifconfig on server: [root@jackass ~]# ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:1B:78:40:1D:E1 inet addr:10.10.20.208 Bcast:10.10.20.255 Mask:255.255.255.0 inet6 addr: fe80::21b:78ff:fe40:1de1/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:11032790 errors:0 dropped:0 overruns:0 frame:0 TX packets:282990 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2421527725 (2.2 GiB) TX bytes:116875391 (111.4 MiB) Interrupt:209 Here is the related logs from radius -X: radiusd: Loading Clients client 127.0.0.1 { require_message_authenticator = no secret = testing123 shortname = localhost nastype = other } client 10.10.0.0/16 { require_message_authenticator = no secret = test shortname = test-net } client goya { ipv6addr = fe80::215:17ff:fed0:d278 IPv6 address [fe80::215:17ff:fed0:d278] require_message_authenticator = no secret = test shortname = test-net } ... radiusd: Opening IP addresses and Ports listen { type = auth ipv6addr = :: IPv6 address [::] port = 0 } listen { type = acct ipv6addr = :: IPv6 address [::] port = 0 } listen { type = control listen { socket = /usr/local/var/run/radiusd/radiusd.sock } } listen { type = auth ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 53193 Listening on authentication address :: port 1812 Listening on accounting address :: port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address :: port 1814 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 43140 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 43140 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 43140 Thanks in advance, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure authenticate using IPv6
Hi, Here is the entry from the clients.conf: client goya { ipv6addr= fe80::215:17ff:fed0:d278 # netmask = 128 secret = test shortname = test-net } what does this do... client fe80::215:17ff:fed0:d278 { secret = test shortname = test-net nastype = other } ... ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html