(RADIATOR) RadSec won't run on IPv6.
Patrick Renkens
p.renkens at uci.ru.nl
Thu Jun 21 03:01:46 CDT 2007
Hi all,
This issue is solved with the latest patch for Radiator version 3.17.1.
Thanks again Mike.
--
Kind regards,
Patrick Renkens
Centre for Information Services (UCI)
Radboud University Nijmegen, Netherlands
Patrick Renkens schreef:
> Hi all,
>
> We have succesfully set up RadSec over IPv4 with Radiator 3.17.1, see
> configuration details at the end of this mail.
> At this stage we use RadSec to transport accounting records in a save
> way. It runs smoothly.
>
> However we would like to setup RadSec over IPv6.
> When we use the correct IPv6 addresses with the 'Host' statement, we get
> errors like below:
>
>
> Thu Jun 14 16:58:33 2007 249345: DEBUG: Creating Monitor port 0.0.0.0:51812
> Thu Jun 14 16:58:33 2007 256441: DEBUG: include
> /usr/local/etc/radius-common.cfg
> Thu Jun 14 16:58:34 2007 900127: DEBUG: Stream attempting tcp connection
> to ipv6:<hidden>:2083
> Thu Jun 14 16:58:34 2007 904023: DEBUG: Stream connection in progress to
> ipv6:<hidden>:2083
> Thu Jun 14 16:58:36 2007 145287: DEBUG: Finished reading configuration
> file '/usr/local/etc/radius-auth.cfg'
> Thu Jun 14 16:58:36 2007 148742: DEBUG: Reading dictionary file
> '/data/raddb/dictionary'
> Thu Jun 14 16:58:37 2007 138407: DEBUG: Creating authentication port
> 0.0.0.0:1812
> Thu Jun 14 16:58:37 2007 142802: NOTICE: Server started: Radiator 3.17.1
> on <hidden>
> Thu Jun 14 16:58:37 2007 146599: DEBUG: Stream connected to
> ipv6:<hidden>:2083
> Thu Jun 14 16:58:37 2007 150080: DEBUG: StreamTLS sessionInit for
> ipv6:<hidden>
> Thu Jun 14 16:58:37 2007 156781: DEBUG: StreamTLS SSL_connect result:
> -1, 2, 4384
> Thu Jun 14 16:58:37 2007 161272: DEBUG: StreamTLS Client Started for
> ipv6:<hidden>:2083
> Thu Jun 14 16:58:37 2007 303267: DEBUG: Verifying certificate with
> Subject '/C=NL/O=..../OU=...../CN=.....' presented by peer ipv6:<hidden>
> Thu Jun 14 16:58:37 2007 305992: ERR: Verification of certificate
> presented by ipv6:<hidden> failed
> Thu Jun 14 16:58:37 2007 309291: DEBUG: StreamTLS SSL_connect result:
> -1, 1, 4401
> Thu Jun 14 16:58:37 2007 312834: ERR: StreamTLS client error: -1, 1,
> 4401, 21662: 1 - error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificateverify failed
>
>
>
> Configuration on the RadSec Server side:
>
> BindAddress 0.0.0.0,ipv6:<hidden>
> <ServerRADSEC>
> Port 2083
> Protocol tcp
> UseTLS
> TLS_CAFile %D/cert/scs/ca.crt
> TLS_CertificateFile %D/cert/scs/'server'.crt
> TLS_CertificateType PEM
> TLS_PrivateKeyFile %D/cert/scs/'server'.key
> TLS_RequireClientCert
> TLS_SessionResumption 0
> Secret <hidden>
> Identifier RADSEC
> </ServerRADSEC>
>
>
> Configuration on the RadSec client side:
>
> <AuthBy RADSEC>
> Identifier ACCOUNTING
> Host IPv6 address of 'server'
> Port 2083
> Protocol tcp
> Secret <hidden>
> UseTLS 1
> TLS_CAFile %D/cert/scs/ca.crt
> TLS_CertificateFile %D/cert/scs/'client'.crt
> TLS_CertificateType PEM
> TLS_PrivateKeyFile %D/cert/scs/'client'.key
> IgnoreAuthentication
> IgnoreAccountingResponse
> </AuthBy>
>
> Any other relevant information:
> - We use the same certificates for IPv4 and IPv6.
> - RadSec server installed on Solaris 5.10 (SPARC).
> - RadSec client installed on Solaris 5.9 (SPARC).
> - RadSec server and RadSec client both use Radiator 3.17.1.
> - DNS for IPv4 and IPv6 is correctly configured, including reverse.
> - There is no firewall problem, TCP port 2083 is open either way.
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list