[RADIATOR] ipv6::: bind results in no match on IPv4 client
Hugh Irvine
hugh at open.com.au
Wed Jun 26 20:36:30 CDT 2013
Hello Jason -
According to section 5.5 in the Radiator 4.11 reference manual ("doc/ref.pdf") you need to specify both ipv6 and ipv4 like this:
BindAddress ipv6:::, 0.0.0.0
5.5 Address binding
One of the main functions of Radiator is to listen for UDP packets and TCP connections from other systems according to the Radiator configuration. The various Radiator clauses that can accept packets or connections from other systems all support the BindAddress parameter, which controls which IP addresses Radiator will listen on. IP packets sent to an IP address which is on the Radiator host, but which Radiator has not bound with BindAddress will not be received by Radiator.
The driver for this is that a single host may have multiple IP addresses, and those addresses may be IPV4, IPV6 and/or IPV4-over-IPV6. You may require Radiator to only honour requests directed to one of or a subset of the IP addresses for the host.
With BindAddress you can control which destination IP addresses Radiator will accept. You can specify one or more IPV4 or IPV6 addresses, including wildcard addresses. You can specifiy one or more comma separated bind addresses in the BindAddress parameter. The following forms may be used:
• 0.0.0.0 (the default) Any IPV4 address on the host
• 1.2.3.4 A specific IPV4 address on the host
• ipv6::: Any IPV6 address on the host (and this may include any IPV4-over-IPV6 address, depending on how the host is configured
• ipv6:2001:610:148:100::31 A specific IPV6 address on the host They may be combined in one BindAddress parameter like so:
BindAddress 0.0.0.0
BindAddress 192.87.30.31,ipv6:2001:610:148:dead::31
BindAddress ipv6:::, 0.0.0.0
Hint: Linux also has a special file to control the system wide behaviour: /proc/sys/net/ipv6/bindv6only
By default this seems to be 0. When it is 0, this will not work as expected: BindAddress ipv6:::, 0.0.0.0
But if it is set to 1, the IPV6 bind wil not include the IPV4 bind and will work as expected.
Hint: In order to support IPV6 address, you must install the Perl Socket6 module.
regards
Hugh
On 27 Jun 2013, at 08:56, "Mueller, Jason C" <jason-mueller at uiowa.edu> wrote:
> Hello,
>
> I am using Radiator 4.11.
>
> I will show relevant portions of my config and then comment on them (IP addresses changed and Secret ***'d out to protect the guilty):
> ----------
> BindAddress ipv6:::
> AuthPort 1812
> AcctPort 1813
> # ipv6 client
> <Client ipv6:2620:0:e50:100::100>
> Secret ***
> DupInterval 0
> AddToReply Session-Timeout=0,cisco-avpair=shell:roles="network-admin"
> </Client>
> # ipv4 client
> <Client 128.255.90.90>
> Secret ***
> DupInterval 0
> AddToReply Session-Timeout=0,Filter-Id=15
> </Client>
> # ipv4 subnet
> <Client 128.255.100.0/24>
> Secret ***
> DupInterval 0
> AddToReply Session-Timeout=0,Filter-Id=10
> </Client>
> ----------
>
> When I use the "BindAddress ipv6:::" configuration parameter, neither of the IPv4 client definitions work. Radiator will give the following log message:
> Wed Jun 26 16:56:38 2013: NOTICE: Request from unknown client 128.255.90.90: ignored
>
> In the above configuration, the IPv6 client works just fine.
>
> If I add a "<Client DEFAULT>" clause when I still have the "BindAddress ipv6:::" parameter configured, the IPv4 clients that I want to match more specifically will match on the DEFAULT client stanza. I cannot have a DEFAULT client stanza in my config.
>
> Additionally, if I remove the "BindAddress ipv6:::" parameter from the config (or comment it out), then the IPv4 clients work as expected.
>
> It appears that when I enable IPv6 like above, that I lose my ability to match on more specific IPv4 client clauses, and I have to use the DEFAULT client stanza, which is not an option for me.
>
> Thoughts? Any help is appreciated.
>
> -Jason
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
hugh at open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc.
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list