[RADIATOR] Radsec and IPv6 keeps troubling me

Mike McCauley mikem at open.com.au
Mon Jan 24 15:36:13 CST 2011


Hello Patrick,

thanks for reporting this.
This would occur if the remote host name was specified in the form 
ipv6:hostname and the certificate name was for 'hostname'.

It should now be fixed in the latest patch set.
We apologise for any inconvenience.

Cheers.

On Monday 24 January 2011 10:36:52 pm Patrick Renkens wrote:
> Hi all,
>
> Radsec in combination with IPv6 keeps troubling me.
> This weekend I upgraded Radiator from version 4.4 to 4.7 and since then
> the Radsec-connections won't work over IPv6. I had to switch back to
> IPv4 to get it running again.
> Both systems, Radsec server and client and server run Radiator 4.7 on
> RHEL. RHEL 5.4 on clients side and RHEL 5.5 on server side. I only
> upgraded de client side. The server that acts as Radsec-server was
> already running Radiator 4.7.
>
> Personally I think it is not OS related, I experienced the same problems
> on Solaris 5.9 and 5.10 before.
>
> Below you find the error-message and the relevant configuration parts.
>
> Any help is appreciated.
>
>
>
>
> Sat Jan 22 16:35:41 2011: DEBUG: verifyFn start, hostname ipv6:'host'
> Sat Jan 22 16:35:41 2011: DEBUG: verifyFn hostname after canonicalise
> Sat Jan 22 16:35:41 2011: DEBUG: Verifying certificate with Subject
> '/DC=net/DC=geant/O=SURFnet BV/CN=host' presented by peer ipv6:'host'
> Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 2, value
> 'host' against
> Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value
> https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:idp:E
>urope:SURFnet:'host' against
> Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value
> https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:sp:Eu
>rope:SURFnet:'host' against
> Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value
> https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:sp:Eu
>rope:SURFnet:SURFnet-office against
> Sat Jan 22 16:35:41 2011: ERR: Verification of certificate presented by
> ipv6:'host' failed
> Sat Jan 22 16:35:41 2011: DEBUG: StreamTLS SSL_connect result: -1, 1, 4401
> Sat Jan 22 16:35:41 2011: ERR: StreamTLS client error: -1, 1, 4401,
> 9303: 1 - error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> Sat Jan 22 16:35:41 2011: DEBUG: Stream disconnected from ipv6:'host':2083
>
>
>
> #RADSEC client side:
> <Handler Realm=/^'realm'$/i>
>         # RewriteUsername         s/^([^@]+).*/$1/
>         <AuthBy RADSEC>
>                 Host                    ipv6:'hostname'
>                 Port                    2083
>                 Secret                  <cut>
>                 UseTLS
>                 TLS_CertificateType     PEM
>                 TLS_CAPath              %D/certs/cacert
>                 TLS_CertificateFile     %D/certs/%h.pem
>                 TLS_PrivateKeyFile      %D/certs/%h.pem
>         </AuthBy>
> </Handler>
>
> #RADSEC serverside:
> <ServerRADSEC>
>         Port                    2083
>         UseTLS
>         TLS_CAFile              %D/cert/edugain/cacert/xxxxxx.pem
>         TLS_CertificateFile     %D/cert/edugain/yyyyyy.pem
>         TLS_CertificateType     PEM
>         TLS_PrivateKeyFile      %D/cert/edugain/yyyyyy.pem
>         TLS_RequireClientCert
>         TLS_SessionResumption   0
>         Secret                  <cut>
>         Identifier              RADSEC
> </ServerRADSEC>
>
>
>
> Kind regards,
> Patrick Renkens
>   Centre for Information Services (UCI)
>   Radboud University Nijmegen, Netherlands
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.


More information about the radiator mailing list