Re: 2.x.x and radtest: no IPv6?
Hi, >Sorry, I've been unclear. What I meant was that I strongly suspect >nas->radius comms will either be v4 or v6 for a given pairing at any one >time, for periods of minutes or hours. Hence treating the addresses as >separately should be fine hmm, yes, we treat each as a seperate entity i'll have to check if cisco even let you define the same instance to have a v4 and v6 address...its doubtful but you never know. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
a.l.m.bu...@lboro.ac.uk wrote: >Hi, > >> My guess is dual-stack NAS->RADIUS is going to be rare. > >ummm. take a hold on that assertion. the joy of dual-stack deployment >is that you need to ensure your servers are ready on IPv4 and IPv6 - >and as part of that, you need to ensure that your using both methods >in case either your IPv4 goes...or your IPv6 goes. we use both >IPv4 and IPv6 on our kit...and our servers are configured for both..as >are our NAS kit that can do IPv6 for RADIUS (we had some discussion >about the best fall-over order to use..which in itself is interesting) > >my personal view is that network/sys admins who are avoiding IPv6 as >much >as they can are just storing themselves up for a whole lot of pain >later >when its forced onto them by internet evolution...embrace the IPv6 now >whilst you can do it in your own time. it not like you havent been >given over 15 years of advance notice ;-) > >alan >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html Sorry, I've been unclear. What I meant was that I strongly suspect nas->radius comms will either be v4 or v6 for a given pairing at any one time, for periods of minutes or hours. Hence treating the addresses as separately should be fine -- Sent from my phone with, please excuse brevity and typos- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
Hi, > My guess is dual-stack NAS->RADIUS is going to be rare. ummm. take a hold on that assertion. the joy of dual-stack deployment is that you need to ensure your servers are ready on IPv4 and IPv6 - and as part of that, you need to ensure that your using both methods in case either your IPv4 goes...or your IPv6 goes. we use both IPv4 and IPv6 on our kit...and our servers are configured for both..as are our NAS kit that can do IPv6 for RADIUS (we had some discussion about the best fall-over order to use..which in itself is interesting) my personal view is that network/sys admins who are avoiding IPv6 as much as they can are just storing themselves up for a whole lot of pain later when its forced onto them by internet evolution...embrace the IPv6 now whilst you can do it in your own time. it not like you havent been given over 15 years of advance notice ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
Hi, > > Still... maybe for a later version... if the input looks like an IP > > address, guessing the address family isn't all that hard. unlike your using IPv4 in its IPv6 incantation > What if the NAS started just using the SRC IPv6 address in packets, and > source IP protection was enabled? well, then things might be interesting. if the NAS was configured to talk to an IPv6 RADIUS server then I'd expect it to be using its IPv6 source address and if you have DAI/etc on the network then that would have to be factored in > I don't have any experience managing an IPv6 enabled network. Does anyone > else? Or is it all too new? new? its been around for more than the lifetime of some people on this list! ;-) you'll probably have noticed that any stuff from us here has the fallback if IPv6 isnt present - so the usual Framed-Address/NAS-IP-Address assumptions all have to be checked in the server/config - I first started noting these issues when we configured remote systems to talk to our IPv6 addresses - finding top-level entries in /var/log/radiusd/ because the IPv4 stuff was missing oh yes, warning needed to ensure that the filesystem you use likes ":" in filenames! ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
On 22/07/13 14:32, Arran Cudbard-Bell wrote: On 22 Jul 2013, at 14:15, Phil Mayers wrote: On 22/07/13 13:47, Arran Cudbard-Bell wrote: It'd be nice to get some feedback from people though... do you think you'll ever need to record both your NAS IPv4 and IPv6 addresses? I'm guessing for dual stacking it'd be nice to record Framed-IP-Address and Framed-IPv6-Prefix, should they both be used to identify clients in areas like session management? It seems like the safest way of doing it to me. Yes. It's important to record them separately, and useful for the reasons you suggest. For the NAS too? Or would it be OK to have a single attribute?. Good question. Not sure on that one - I think most NASes treat an IPv4 and IPv6 RADIUS server as a separate server, so I guess treating it as a separate client is no big problem. OTOH two columns == less rows for dual-stack NAS. My guess is dual-stack NAS->RADIUS is going to be rare. But would it break things? What if the NAS started just using the SRC IPv6 address in packets, and source IP protection was enabled? Does this happen in the real world? Not sure I follow here; can you expand on this? Envisaging use in session identification. If the NAS was dumb, and was just looking at packets coming from one of it's directly connected devices, and pulling off the SRC IP address and using it to enrich Accounting-Requests, you may have that IP change during the Ah, gotcha. course of a session. Some NASes already do something similar with Framed-IP-Address only being present in some acct packets. We handle this with: update radacct set ... framedipaddress=coalesce(nullif('%{..}', ''), framedipaddress) ... ...which is basically "use the IP from the packet if set, or on the existing row if unset" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
Stefan Winter wrote: > Still... maybe for a later version... if the input looks like an IP > address, guessing the address family isn't all that hard. Yeah patches? :) > I see that such a -4 -6 option is required for hostnames, but even then > only if they return addresses for both families. > > ipv6-localhost only returns ::1. And ::1 successfully parses neither as > an IPv4, nor a hostname, but as an IPv6 address. Both are unambiguous > and could be auto-detected. Sure. > That would add a little user-friendliness for users who didn't have > enough sleep :-) Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
On 22 Jul 2013, at 14:15, Phil Mayers wrote: > On 22/07/13 13:47, Arran Cudbard-Bell wrote: >> >> It'd be nice to get some feedback from people though... do you think >> you'll ever need to record both your NAS IPv4 and IPv6 addresses? >> >> I'm guessing for dual stacking it'd be nice to record >> Framed-IP-Address and Framed-IPv6-Prefix, should they both be used to >> identify clients in areas like session management? It seems like the >> safest way of doing it to me. > > Yes. It's important to record them separately, and useful for the reasons you > suggest. For the NAS too? Or would it be OK to have a single attribute?. >> >> But would it break things? What if the NAS started just using the SRC >> IPv6 address in packets, and source IP protection was enabled? Does >> this happen in the real world? > > Not sure I follow here; can you expand on this? Envisaging use in session identification. If the NAS was dumb, and was just looking at packets coming from one of it's directly connected devices, and pulling off the SRC IP address and using it to enrich Accounting-Requests, you may have that IP change during the course of a session. I doubt any NAS vendors are quite that stupid, but just wanted confirmation. >> I don't have any experience managing an IPv6 enabled network. Does >> anyone else? Or is it all too new? > > "It's complicated". > > I've replied to your email on -devel. OK. Thanks. Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
On 22/07/13 13:47, Arran Cudbard-Bell wrote: It'd be nice to get some feedback from people though... do you think you'll ever need to record both your NAS IPv4 and IPv6 addresses? I'm guessing for dual stacking it'd be nice to record Framed-IP-Address and Framed-IPv6-Prefix, should they both be used to identify clients in areas like session management? It seems like the safest way of doing it to me. Yes. It's important to record them separately, and useful for the reasons you suggest. But would it break things? What if the NAS started just using the SRC IPv6 address in packets, and source IP protection was enabled? Does this happen in the real world? Not sure I follow here; can you expand on this? I don't have any experience managing an IPv6 enabled network. Does anyone else? Or is it all too new? "It's complicated". I've replied to your email on -devel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
Hi, >> Does radtest not support IPv6? I could have sworn it did IPv6 earlier, >> but not totally sure. > > > > -4 Use IPv4 for the NAS address (default) > -6 Use IPv6 for the NAS address Uh. Sorry. Still... maybe for a later version... if the input looks like an IP address, guessing the address family isn't all that hard. I see that such a -4 -6 option is required for hostnames, but even then only if they return addresses for both families. ipv6-localhost only returns ::1. And ::1 successfully parses neither as an IPv4, nor a hostname, but as an IPv6 address. Both are unambiguous and could be auto-detected. That would add a little user-friendliness for users who didn't have enough sleep :-) Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
On 22 Jul 2013, at 13:32, Stefan Winter wrote: > Hi, > >>> Does radtest not support IPv6? I could have sworn it did IPv6 earlier, >>> but not totally sure. >> >> >> >>-4 Use IPv4 for the NAS address (default) >>-6 Use IPv6 for the NAS address > > Uh. Sorry. > > Still... maybe for a later version... if the input looks like an IP > address, guessing the address family isn't all that hard. > > I see that such a -4 -6 option is required for hostnames, but even then > only if they return addresses for both families. > > ipv6-localhost only returns ::1. And ::1 successfully parses neither as > an IPv4, nor a hostname, but as an IPv6 address. Both are unambiguous > and could be auto-detected. > > That would add a little user-friendliness for users who didn't have > enough sleep :-) I've mentally scheduled a pass through modules in master to fix any places where it's IPv4 only, so i'll be sure to add that. It'd be nice to get some feedback from people though... do you think you'll ever need to record both your NAS IPv4 and IPv6 addresses? I'm guessing for dual stacking it'd be nice to record Framed-IP-Address and Framed-IPv6-Prefix, should they both be used to identify clients in areas like session management? It seems like the safest way of doing it to me. But would it break things? What if the NAS started just using the SRC IPv6 address in packets, and source IP protection was enabled? Does this happen in the real world? I don't have any experience managing an IPv6 enabled network. Does anyone else? Or is it all too new? Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
Stefan Winter wrote: > while using radtest, I got some strange results: > > # ./radtest swinter testpwd [::1] 123 testing123 > radclient: Failed to find IP address for host ::1: Success It defaults to IPv4. > # ./radtest swinter testpwd ipv6-localhost 123 testing123 > radclient: Failed to find IP address for host ipv6-localhost: Success > > ipv6-localhost is in my /etc/hosts. I'd expect both of these to work... > no brackets also doesn't work, but that was just my last straw and > doesn't have to work anyway. > > Does radtest not support IPv6? I could have sworn it did IPv6 earlier, > but not totally sure. $ radtest -h Usage: radtest [OPTIONS] user passwd radius-server[:port] nas-port-number secret [ppphint] [nasname] -d RADIUS_DIR Set radius directory -tSet authentication method type can be pap, chap, mschap, or eap-md5 -x Enable debug output -4 Use IPv4 for the NAS address (default) -6 Use IPv6 for the NAS address Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.x.x and radtest: no IPv6?
Hi, while using radtest, I got some strange results: # ./radtest swinter testpwd [::1] 123 testing123 radclient: Failed to find IP address for host ::1: Success # ./radtest swinter testpwd ipv6-localhost 123 testing123 radclient: Failed to find IP address for host ipv6-localhost: Success ipv6-localhost is in my /etc/hosts. I'd expect both of these to work... no brackets also doesn't work, but that was just my last straw and doesn't have to work anyway. Does radtest not support IPv6? I could have sworn it did IPv6 earlier, but not totally sure. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html