Failure authenticate using IPv6

Stefan Winter stefan.winter at restena.lu
Fri May 24 06:18:50 CEST 2013 

Hi,

it's a very bad idea to use link-local addresses. You should use a 
global or ULA address instead.

I don't *know* why this doesn't work, but it does with our global-scope 
addresses just fine, so I'm guessing it's the address type.

Especially since link-local addresses are only valid with an interface 
scope. So

"fe80::215:17ff:fed0:d278"

simply isn't an IPv6 address.

"fe80::215:17ff:fed0:d278%eth0"

is the valid address. I don't know if the FreeRADIUS address parser is 
prepared to handle such interface-scoped addresses. There's not much use 
case for this.

Greetings,

Stefan Winter

Am 23.05.13 16:11, schrieb Michael Sherman:
>> what does this do...
>>
>> client fe80::215:17ff:fed0:d278 {
>> 		secret = test
>> 		shortname = test-net
>> 		nastype = other
>> }
>>
>> ... ?
>>
>> alan
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> Same :(
>
>
> radiusd: #### Loading Clients ####
>   client 127.0.0.1 {
>          require_message_authenticator = no
>          secret = "testing123"
>          shortname = "localhost"
>          nastype = "other"
>   }
>   client 10.10.0.0/16 {
>          require_message_authenticator = no
>          secret = "bigsecret"
>          shortname = "test-net"
>   }
>   client fe80::215:17ff:fed0:d278 {
>          require_message_authenticator = no
>          secret = "bigsecret"
>          shortname = "test-net"
>          nastype = "other"
>   }
> ...
> radiusd: #### Opening IP addresses and Ports ####
> listen {
>          type = "auth"
>          ipv6addr = :: IPv6 address [::]
>          port = 0
> }
> listen {
>          type = "acct"
>          ipv6addr = :: IPv6 address [::]
>          port = 0
> }
> listen {
>          type = "control"
>   listen {
>          socket = "/usr/local/var/run/radiusd/radiusd.sock"
>   }
> }
> listen {
>          type = "auth"
>          ipaddr = 127.0.0.1
>          port = 18120
> }
>   ... adding new socket proxy address * port 54225
> Listening on authentication address :: port 1812
> Listening on accounting address :: port 1813
> Listening on command file /usr/local/var/run/radiusd/radiusd.sock
> Listening on authentication address 127.0.0.1 port 18120 as server
> inner-tunnel
> Listening on proxy address :: port 1814
> Ready to process requests.
> Ignoring request to authentication address :: port 1812 from unknown
> client fe80::215:17ff:fed0:d278 port 48848
> Ready to process requests.
> Ignoring request to authentication address :: port 1812 from unknown
> client fe80::215:17ff:fed0:d278 port 48848
> Ready to process requests.
> Ignoring request to authentication address :: port 1812 from unknown
> client fe80::215:17ff:fed0:d278 port 48848
> Ready to process requests.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list