[RADIATOR] [External] Re: Client definition stanza

Johnson, Neil M neil-johnson at uiowa.edu
Fri Feb 28 19:59:30 UTC 2020 

Thanks!

--
Neil Johnson
319 384-0938
neil-johnson at uiowa.edu<mailto:neil-johnson at uiowa.edu>


From: radiator <radiator-bounces at lists.open.com.au> on behalf of Heikki Vatiainen <hvn at open.com.au>
Date: Thursday, February 27, 2020 at 4:46 AM
To: "radiator at lists.open.com.au" <radiator at lists.open.com.au>
Subject: [External] Re: [RADIATOR] Client definition stanza

On 26.2.2020 1.12, Johnson, Neil M wrote:

Given the following stanza:
<Client 172.24.144.0/24>
      IdenticalClients fd9a:2c75:7d0c:6400::/64
      # LC Research Switches
      IdenticalClients 172.24.145.0/24
      IdenticalClients fd9a:2c75:7d0c:6600::/64
      #
      Identifier LC_NET_Clients
      Secret <SECRET>
      DupInterval 0
</Client>
Why would connections from fd9a:2c75:7d0c:6400::1a be reported as from
an unknown client, but connections from fd9a:2c75:7d0c:6600::b work fine?

Jumping back to the start of this thread; your configuration is fine and
it should work. The reason it does not is that when there are two IPv6
address blocks, the latest overwrites the previous ones. For this reason
client ..::b works and ::1a does not. If there had been more IPv6
blocks, only the last one would have worked.

The manual is also correct: it's possible to have one or more
IdenticalClients parameters with one or more address or address blocks
for each parameter.

While this was tested with a mix of IdenticalClients, the tests did not
use IdenticalClients with two IPv6 blocks. For this reason the bug was
not detected and has been broken for the earlier versions too.

The only thing I'd remove from the above config is 'DupInterval 0'. For
typical use the default 10 seconds is fine. Value zero was for radpwtst
testing when radpwtst requests had identifier and other values that made
subsequent tests look like duplicate requests. Duplicate detection has
since version 4.0 followed RFC 5080

In short, after IPv6 address/mask fix, the config above should work
fine. I'll let the list know when the fix is available.

Thanks for the report and all the debug work,
Heikki

--
Heikki Vatiainen <hvn at open.com.au<mailto:hvn at open.com.au>>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________
radiator mailing list
radiator at lists.open.com.au<mailto:radiator at lists.open.com.au>
https://lists.open.com.au/mailman/listinfo/radiator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20200228/341a3b91/attachment.html>

More information about the radiator mailing list