[RADIATOR] RADIATOR issue with particular attribute (NAS-IPv6-Address)

Heikki Vatiainen hvn at open.com.au
Wed Oct 9 07:24:55 CDT 2013


On 10/04/2013 12:31 AM, A.L.M.Buxey at lboro.ac.uk wrote:

> ATTRIBUTE       NAS-IPv6-Address                95      ipaddrv6
> 
> however, it appears that this attribute type (ipaddrv6) has
> some interplay problem with the server. ie If you have a RADIUS packet
> going through RADIATOR on a host that isnt doing IPv6 - ie it doesnt have
> PERL Socket6 library installed, then the 18byte attribute is mangled
> to 2 bytes. the result of that?

Indeed, this will happen when Socket6 is not installed. There is a
WARNING logged each time when this Socket6 call is needed, but
apparently this is not enough to make sure the problem is noticed
quickly enough.

We thought about the options and the plan is to examine the IPv6
capabilities of the system at radiusd start and then select: native
Socket > Socket6 > handle as binary dictionary type.

This allows those who have Perl 5.12.0 or later to not worry about
Socket6 anymore while still allowing older systems with no Socket6 to
function without mangling messages.

The above will also apply to other related uses where socket binding
etc. is done and socket related calls are needed to hand addresses.

> other servers such as NPS will just silently 
> drop the packet (well, it logs malformed RADIUS packet but remote servers
> think server is dead). in a highly federated environment (eg eduroam)
> this leads to quite elongated/obtuse issues.

Not good, I agree.

> May I ask that this 
> handling of the packet be seperated from IPv6 functionality (standard
> IPv4 servers should just pass known packets through as is....) - 
> perhaps as simple as changing the type of that attribute?

Unknowns can now pass Radiator, see the recent patch, but this was a bit
of special case where it was thought the type could be handled when this
was not true. There will be patches soon that update this and remove the
mandatory Socket6 dependency if the system has Socket that is current
enough.

Thanks for pointing this out.
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list