[RADIATOR] ipv6::: bind results in no match on IPv4 client

Heikki Vatiainen hvn at open.com.au
Thu Jun 27 16:36:13 CDT 2013 

On 06/28/2013 12:01 AM, Christopher Bongaarts wrote:
> On 6/27/2013 3:01 PM, Mueller, Jason C wrote:
>> Quick summary again, when using ipv6::: and bindv6only set to 0:
>> * Both IPv4 and IPv6 traffic gets to Radiator
>> * IPv6 works with everything I have tried
>> * IPv4 clients will not match on the proper client stanza, only the DEFAULT client stanza
> 
> Perhaps in this situation you need to use the IPv6-formatted IPv4
> addresses instead?  e.g. |::ffff:127.0.0.1|

I agree this solves it. Since the socket is an IPv6 socket, the
addresses will be IPv6 addresses too even if they were in IPv4
packets on the wire.

You can use e.g. a hook like this to do some debugging:

ClientHook sub {my $p = ${$_[0]}; \
my ($client_port, $client_addr) =
Radius::Util::unpack_sockaddr_in($p->{RecvFrom}); \
main::log($main::LOG_DEBUG, "client_addr: " .
Radius::AttrVal::pclean($client_addr)); \
}

When BindAddress is set to ipv6::: and request comes in from an IPv4
address 172.20.3.170 you'll get this in the logs:

DEBUG: client_addr:
<0><0><0><0><0><0><0><0><0><0><255><255><172><20><3><170>

When BindAddress is commented out and defaults to IPv4 0.0.0.0 you'll
get this in the logs when using the same client 172.20.3.170

DEBUG: client_addr: <172><20><3><170>

The former needs:
<Client ipv6:::ffff:172.20.3.170>

and the latter can be caught with

<Client 172.20.3.170>


Using the config below the requests from 127.0.0.1 and 172.20.30.170 hit
different Client clauses depending on the BindAddress value being
ipv6::: or 0.0.0.0

As mentioned before, this is only the case with IPv6 wildcard binding.
If you the address is not a wildcard, the IPv4 requests will never pop
up from that listen socket.

<Client ipv6:::ffff:172.20.3.170>
        Identifier ipv6-mapped-ipv4-172.20.3.170
        Secret  mysecret
        DupInterval 0
</Client>

<Client 172.20.3.170>
        Identifier ipv4-172.20.3.170
        Secret  mysecret
        DupInterval 0
</Client>

<Client 127.0.0.1>
        Identifier ipv4-loopback
        Secret  mysecret
        DupInterval 0
</Client>

<Client ipv6:::ffff:127.0.0.1>
        Identifier ipv6-mapped-ipv4-loopback
        Secret  mysecret
        DupInterval 0
</Client>

<Client DEFAULT>
        Identifier default-client
        Secret mysecret
        DupInterval 0
</Client>

# The Reply-Message will show which client clause was selected
<Handler>
        <AuthBy FILE>
                Filename        %D/users
                AddToReply Reply-Message=%{Client:Identifier}
        </AuthBy>
</Handler>



-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list