Hello,

We are in the process of implementing radsec on our server but when using 
authby DNSROAM the SRV lookup always fail:

Radiator logs:
Fri Mar 17 15:56:20 2017: DEBUG: Handling with Radius::AuthDNSROAM
Fri Mar 17 15:56:20 2017: DEBUG: Resolver doing NAPTR lookup for id.fccn.pt,
Fri Mar 17 15:56:20 2017: DEBUG: AuthBy DNSROAM result: IGNORE, Discovering 
RadSec servers
Fri Mar 17 15:56:20 2017: DEBUG: Resolver found NAPTR record for realm 
id.fccn.pt: id.fccn.pt.  73857   IN      NAPTR   ( 100 10 s 
x-eduroam:radius.tls ""
        _radsec._tcp.fccn.pt. )
Fri Mar 17 15:56:20 2017: DEBUG: Resolver doing SRV lookup for 
_radsec._tcp.fccn.pt, Protocol radius Transport tcp UseTLS 1 Order 100 
Preference 10
Fri Mar 17 15:56:25 2017: INFO: Resolver: No reply from DNS for SRV request for 
realm id.fccn.pt
Fri Mar 17 15:56:25 2017: DEBUG: AuthBy DNSROAM: No hardwired Route, no 
discovered Route, using DEFAULT Route for id.fccn.pt

When we do a tcpdump on the radius server we see that the dns server responds 
to the request but the radius sends (final line) port unreachable and the 
resolving of the SRV request fails:

Tcpdump radius (193.137.66.131) > dns (193.137.66.129):
12:37:13.937148 IP 193.137.66.131.40586 > 193.137.66.129.53: 63986+ NAPTR? 
id.fccn.pt. (28)
12:37:13.937383 IP 193.137.66.129.53 > 193.137.66.131.40586: 63986 1/0/6 NAPTR 
(268)
12:37:13.945746 IP 193.137.66.131.40586 > 193.137.66.129.53: 37804+ SRV? 
_radsec._tcp.fccn.pt. (38)
12:37:13.946034 IP 193.137.66.129.53 > 193.137.66.131.40586: 37804 2/0/4 SRV 
radius01.fccn.pt.:2083 0 0, SRV radius02.fccn.pt.:2083 0 10 (198)
12:37:13.946058 IP 193.137.66.131 > 193.137.66.129: ICMP 193.137.66.131 udp 
port 40586 unreachable, length 234

I've installed all the necessary modules: Net::DNS + Socket6 + 
IO::Socket::INET6 for this to work but it always fails.

Anyone has an idea how to solve this?

Useful info:

OS: Centos 7 Updated today (March 17, 2017)
Radiator: 4.17

Resolver config:
<Resolver>
        Nameservers     193.137.66.129
        Nameservers     ipv6:2001:690:2260:AAAA::129
        NAPTR-Pattern   x-eduroam:(radius)\.(tls)
        DirectAddressLookup     0
        Debug
</Resolver>

AuthBy DNSROAM config:

        <AuthBy DNSROAM>
                Identifier RADSEC_ROMAER_ACCESS_DNSROAM
                Port                    2083
                Protocol                radsec
                Transport               tcp
                UseTLS                  1
                Secret                  XXXXXX
                ReconnectTimeout        2
                NoreplyTimeout          5
                ConnectOnDemand
                TLS_CAFile              /etc/radiator/certs/radsec/cacert.pem
                TLS_CertificateFile     
/etc/radiator/certs/radsec/radius.si.ipcb.pt-crt.pem
                TLS_CertificateType     PEM
                TLS_PrivateKeyFile      
/etc/radiator/certs/radsec/radius.si.ipcb.pt-key.pem
                TLS_PolicyOID           .1.3.6.1.4.1.25178.3.1.2
                TLS_ExpectedPeerName    CN=.*
                #<Route>
                #       Realm id.fccn.pt
                #       Address 193.137.198.49
                #       Port 2083
                #       Transport tcp
                #       Protocol radsec
                #</Route>
                <Route>
                        Realm           DEFAULT
                        Address         193.136.192.43, 193.136.192.44
                        Port            2083
                        Transport       tcp
                        Protocol        radsec
                </Route>
                IgnoreAccountingResponse

                # Executar o ficheiro que adiciona os enderecos MAC no DHCP
                ReplyHook file:"%D/radius_roamer_user_hook.pl"

        </AuthBy>

Regards,

Fernando Reis
IT Services | Polytechnic Institute of Castelo Branco
Av. Pedro Álvares Cabral n.º 12 6000-084 Castelo Branco - Portugal
T +351 272 339 600 | F +351 272 339 601 | @ 
fer...@ipcb.pt<mailto:fer...@ipcb.pt>

_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator

Reply via email to