(RADIATOR) RadSec won't run on IPv6.
Patrick Renkens
p.renkens at uci.ru.nl
Thu Jun 14 10:06:34 CDT 2007
Hi all,
We have succesfully set up RadSec over IPv4 with Radiator 3.17.1, see
configuration details at the end of this mail.
At this stage we use RadSec to transport accounting records in a save
way. It runs smoothly.
However we would like to setup RadSec over IPv6.
When we use the correct IPv6 addresses with the 'Host' statement, we get
errors like below:
Thu Jun 14 16:58:33 2007 249345: DEBUG: Creating Monitor port 0.0.0.0:51812
Thu Jun 14 16:58:33 2007 256441: DEBUG: include
/usr/local/etc/radius-common.cfg
Thu Jun 14 16:58:34 2007 900127: DEBUG: Stream attempting tcp connection
to ipv6:<hidden>:2083
Thu Jun 14 16:58:34 2007 904023: DEBUG: Stream connection in progress to
ipv6:<hidden>:2083
Thu Jun 14 16:58:36 2007 145287: DEBUG: Finished reading configuration
file '/usr/local/etc/radius-auth.cfg'
Thu Jun 14 16:58:36 2007 148742: DEBUG: Reading dictionary file
'/data/raddb/dictionary'
Thu Jun 14 16:58:37 2007 138407: DEBUG: Creating authentication port
0.0.0.0:1812
Thu Jun 14 16:58:37 2007 142802: NOTICE: Server started: Radiator 3.17.1
on <hidden>
Thu Jun 14 16:58:37 2007 146599: DEBUG: Stream connected to
ipv6:<hidden>:2083
Thu Jun 14 16:58:37 2007 150080: DEBUG: StreamTLS sessionInit for
ipv6:<hidden>
Thu Jun 14 16:58:37 2007 156781: DEBUG: StreamTLS SSL_connect result:
-1, 2, 4384
Thu Jun 14 16:58:37 2007 161272: DEBUG: StreamTLS Client Started for
ipv6:<hidden>:2083
Thu Jun 14 16:58:37 2007 303267: DEBUG: Verifying certificate with
Subject '/C=NL/O=..../OU=...../CN=.....' presented by peer ipv6:<hidden>
Thu Jun 14 16:58:37 2007 305992: ERR: Verification of certificate
presented by ipv6:<hidden> failed
Thu Jun 14 16:58:37 2007 309291: DEBUG: StreamTLS SSL_connect result:
-1, 1, 4401
Thu Jun 14 16:58:37 2007 312834: ERR: StreamTLS client error: -1, 1,
4401, 21662: 1 - error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificateverify failed
Configuration on the RadSec Server side:
BindAddress 0.0.0.0,ipv6:<hidden>
<ServerRADSEC>
Port 2083
Protocol tcp
UseTLS
TLS_CAFile %D/cert/scs/ca.crt
TLS_CertificateFile %D/cert/scs/'server'.crt
TLS_CertificateType PEM
TLS_PrivateKeyFile %D/cert/scs/'server'.key
TLS_RequireClientCert
TLS_SessionResumption 0
Secret <hidden>
Identifier RADSEC
</ServerRADSEC>
Configuration on the RadSec client side:
<AuthBy RADSEC>
Identifier ACCOUNTING
Host IPv6 address of 'server'
Port 2083
Protocol tcp
Secret <hidden>
UseTLS 1
TLS_CAFile %D/cert/scs/ca.crt
TLS_CertificateFile %D/cert/scs/'client'.crt
TLS_CertificateType PEM
TLS_PrivateKeyFile %D/cert/scs/'client'.key
IgnoreAuthentication
IgnoreAccountingResponse
</AuthBy>
Any other relevant information:
- We use the same certificates for IPv4 and IPv6.
- RadSec server installed on Solaris 5.10 (SPARC).
- RadSec client installed on Solaris 5.9 (SPARC).
- RadSec server and RadSec client both use Radiator 3.17.1.
- DNS for IPv4 and IPv6 is correctly configured, including reverse.
- There is no firewall problem, TCP port 2083 is open either way.
--
Kind regards,
Patrick Renkens
Centre for Information Services (UCI)
Radboud University Nijmegen, Netherlands
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list