(RADIATOR) IPV6 support added

Mike McCauley mikem at open.com.au
Wed Feb 18 17:33:13 CST 2004


Hello Wim,

Thanks for your note.
It looks like the transmission of the request to the proxy is failing, and it 
is not actually leaving Radiator at all.

May I see the relevent AuthBy RADIUS configuration for this proxy connection?
Did you change anything there, or did you only change the main BindAddress?

What version of FreeBSD was this?

Cheers.


On Thu, 19 Feb 2004 05:11 am, Wim Biemolt wrote:
> Hello Mike,
>
> On Wed, Feb 18, 2004 at 12:26:56PM +1100, Mike McCauley wrote:
> > thanks for reporting this.
> >
> > On Wed, 18 Feb 2004 10:11 am, Wim Biemolt wrote:
> > > On Thu, Feb 12, 2004 at 12:19:16PM +1100, Mike McCauley wrote:
> > > > Thanks for reporting this.
> > > > We have made a change so that IPV4 addresses received over IPV6 are
> > > > treated exactly as they were before. It is available in the 3.8
> > > > patches area.
> > >
> > > Thanks for the patch. It fixed my problem. On what platforms does
> > > Radiator support IPv6 transport? After the successful upgrade on
> > > a FreeBSD based server I was less successful on Solaris 8 :-(
> > >
> > >   The STDERR output was Socket6::inet_pton not implemented on this
> > >   architecture at /usr/local/bin/radiusd line 474.
> >
> > This problem is due to the fact that when Socket6 builds on Solaris 8 and
> > 9, it looks in the wrong place for inet_pton and inet_ntop, and wrongly
> > concludes they are not available.
> >
> > You can fix this by editing the config.h in Socket6 and adding the
> > following lines:
> >
> > /* Sol 8 and 9 really do have these in libnsl */
> > #define HAVE_INET_NTOP 1
> > #define HAVE_INET_PTON 1
> >
> > and running
> > make;make install
> > again
> >
> > Alas, Solaris does not implement the IPV6 gethostbyname2. We have now
> > released a patch for Radiator so the absence of this function does not
> > cause a croak.
>
> Before I try this. It looks like there is still an issue regarding IPv6
> support on FreeBSD. When I enable IPv6 support using "BindAddress ipv6:::"
> it (sometimes?) doesn't seem to proxy regular requests over IPv4 anymore.
> My logfile and tcpdump show different things.
>
> * I receive an Access-Request over IPv4 which should be proxied to
>   another radius server over IPv4.
>
>   Wed Feb 18 18:25:47 2004 93585: DEBUG: Packet dump:
>   *** Received from 192.k.l.m port 2083 ....
>   Code:       Access-Request
>
> * Accoring to the logging the Access-Request is being proxied to the
>   proper radius server
>
>   Wed Feb 18 18:25:47 2004 102933: DEBUG: Packet dump:
>   *** Sending to 192.a.b.c port 1812 ....
>   Code:       Access-Request
>
> * But tcpdump only shows that I receive something. Nothing is being
>   transmitted to the proper radius server.
>
>   18:25:47.090525 192.k.l.m.2083 > 192.x.y.z.1812:  rad-access-req 139 [id
> 79] Attr[  User{wimbie at sid.surfnet.nl} [|radius] 18:25:51.082417
> 192.k.l.m.2083 > 192.x.y.z.1812:  rad-access-req 139 [id 79] Attr[ 
> User{wimbie at sid.surfnet.nl} [|radius]
>
> * According to the logging I receive no reply (to a question which most
>   likely was never asked)
>
>   Wed Feb 18 18:26:02 2004 198057: INFO: AuthRADIUS: No reply after 2
> retransmissions to 192.a.b.c:1812 for wimbie at sid.surfnet.nl  (79) Wed Feb
> 18 18:26:02 2004 199210: INFO: AuthRADIUS could not find a working host to
> forward to. Ignoring Wed Feb 18 18:26:06 2004 238396: INFO: AuthRADIUS: No
> reply after 2 retransmissions to 192.a.b.c:1812 for wimbie at sid.surfnet.nl 
> (79) Wed Feb 18 18:26:06 2004 239537: INFO: AuthRADIUS could not find a
> working host to forward to. Ignoring
>
> * When I remove the "BindAddress ipv6:::" logging and tcpdump are in
>   agreement again
>
>   18:26:23.559130 192.k.l.m.2089 > 192.x.y.z.1812:  rad-access-req 139 [id
> 80] Attr[  User{wimbie at sid.surfnet.nl} [|radius] 18:26:23.572088
> 192.x.y.z.3025 > 192.a.b.c.1812:  rad-access-req 140 [id 1] Attr[ 
> User{wimbie at sid.surfnet.nl} [|radius] 18:26:25.631254 192.a.b.c.1812 >
> 192.x.y.z.3025:  rad-access-reject 36 [id 1] Attr[  Reply{Request Denied} ]
> (DF) 18:26:25.638771 192.x.y.z.1812 > 192.k.l.m.2089:  rad-access-reject 36
> [id 80] Attr[  Reply{Request Denied} ]
>
> * So now I do receive a reply. (the question was actually sent)
>
>   Wed Feb 18 18:26:25 2004 634069: DEBUG: Received reply in AuthRADIUS for
> req 1 from 192.a.b.c:1812 Wed Feb 18 18:26:25 2004 635626: INFO: Access
> rejected for wimbie at sid.surfnet.nl: Proxied
>
> I have included the "Trace 5" output of both times I tried to have an
> IPv4 request proxied. The first time using "BindAddress ipv6:::". The
> second time without "BindAddress ipv6:::". Any idea what is going wrong?
>
> Cheers,
>
> -Wim -/- SURFnet

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list