[RADIATOR] Client definition stanza

Heikki Vatiainen hvn at open.com.au
Thu Feb 27 10:45:07 UTC 2020 

On 26.2.2020 1.12, Johnson, Neil M wrote:

> Given the following stanza:
> 
> <Client 172.24.144.0/24>
>      IdenticalClients fd9a:2c75:7d0c:6400::/64
>      # LC Research Switches
>      IdenticalClients 172.24.145.0/24
>      IdenticalClients fd9a:2c75:7d0c:6600::/64
>      #
>      Identifier LC_NET_Clients
>      Secret <SECRET>
>      DupInterval 0
> </Client>
> 
> Why would connections from fd9a:2c75:7d0c:6400::1a be reported as from 
> an unknown client, but connections from fd9a:2c75:7d0c:6600::b work fine?

Jumping back to the start of this thread; your configuration is fine and 
it should work. The reason it does not is that when there are two IPv6 
address blocks, the latest overwrites the previous ones. For this reason 
client ..::b works and ::1a does not. If there had been more IPv6 
blocks, only the last one would have worked.

The manual is also correct: it's possible to have one or more 
IdenticalClients parameters with one or more address or address blocks 
for each parameter.

While this was tested with a mix of IdenticalClients, the tests did not 
use IdenticalClients with two IPv6 blocks. For this reason the bug was 
not detected and has been broken for the earlier versions too.

The only thing I'd remove from the above config is 'DupInterval 0'. For 
typical use the default 10 seconds is fine. Value zero was for radpwtst 
testing when radpwtst requests had identifier and other values that made 
subsequent tests look like duplicate requests. Duplicate detection has 
since version 4.0 followed RFC 5080

In short, after IPv6 address/mask fix, the config above should work 
fine. I'll let the list know when the fix is available.

Thanks for the report and all the debug work,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.

More information about the radiator mailing list