NAS-IP(v6)-Address = Packet-Src-IP(v6)-Address
Hi, Since lighting up IPv6 on our FreeRADIUS infrastructure, I have noticed behaviour that seems to result in the following logic kicking off: ---- authorize { ... update request { NAS-IPv6-Address = Packet-Src-IPv6-Address NAS-IP-Address = Packet-Src-IP-Address } ... } ----- So, when NAS-IP(v6)-Address already exists, nothing happens, however if it does, then it an attribute with the contents of Packet-Src-IP(v6)-Address is added; obviously depending on the socket type the packet arrives over so I am guessing in practice you probably really only see this when communicating with IPv6 proxies? The problem is, I have not added this type of thing to my config. Checking the raw packet captures show that the client is not setting NAS-IPv6-Address but by the time I sql log it in post-auth, it's there, set to Packet-Src-IPv6-Address :-/ Idea's and suggestions would be much obliged, comments regarding my use of NAS-(IP(v6)?-Address|Identifier) to /dev/null though, unless you have a better suggestion? ;) Cheers ---- dot1x related virtual servers ---- listen { type = auth port = 1812 ipv6addr = :: clients = dot1x } listen { type = auth port = 1812 ipaddr = * clients = dot1x } listen { type = acct port = 1813 ipv6addr = :: clients = dot1x } listen { type = acct port = 1813 ipaddr = * clients = dot1x } server lanwarden { .... } server eduroam { authorize { preprocess testers # braindead JANET PAP test hook if ((Hint) && Hint == test && !(EAP-Message)) { update control { Proxy-To-Realm := "auth.virtual" } handled } if (!(Hint) || Hint != test) { # detail.eduroam attr_filter.eduroam-auth } rewrite.called_station_id rewrite.calling_station_id client-info # let people know *which* box did the auth update reply { NAS-Identifier := "%{config:local.MY.hostname}" NAS-IP-Address := "%{config:local.MY.addr.v4}" NAS-IPv6-Address := "%{config:local.MY.addr.v6}" } # Reject EAP-less authentications if (!(EAP-Message)) { update reply { Reply-Message := "We only accept EAP requests" } reject } # Reject Calling-Station-Id-less authentications if (!(Calling-Station-Id)) { update reply { Reply-Message := "No Calling-Station-Id" } reject } if (!(User-Name)) { update reply { Reply-Message := "No User-Name" } reject } validate_username suffix # Reject realm's authentications that are not for us early if (Realm != "%{config:local.MY.realm}") { update reply { Reply-Message := "Not @%{config:local.MY.realm} User-Name" } reject } EAP { ok = return } ldap-lanwarden if (ok) { if (control:LanWarden-Host-State != "enable") { update reply { Reply-Message := "LW: disabled" } reject } # if ((EAP-Message)) { # cache_ldap-userdn # } } Autz-Type Status-Server { ok } } authenticate { Auth-Type EAP { EAP } } post-auth { Post-Auth-Type Reject { sql.dot1x attr_filter.access_reject eap-has-no-reply-message # detail.eduroam } # if ((EAP-Message) && !(Ldap-UserDn)) { # cache_ldap-userdn # } if (!(Hint) || Hint != test) { sql.dot1x } update reply { User-Name !* ANY } attr_filter.eduroam-auth eap-has-no-reply-message # if (!(Hint) || Hint != test) { # detail.eduroam # } } preacct { preprocess suffix } accounting { # detail.eduroam attr_filter.eduroam-acct rewrite.called_station_id rewrite.calling_station_id # Reject Calling-Station-Id-less authentications if (!(Calling-Station-Id)) { update reply { Reply-Message := "No Calling-Station-Id" } reject } if (!(User-Name)) { update reply { Reply-Message := "No User-Name" } reject } validate_username # Reject realm's authentications that are not for us early if (Realm != "%{config:local.MY.realm}") { update reply { Reply-Message := "Not @%{config:local.MY.realm} User-Name" } reject } detail.dot1x.acct } session { ok } } --------------------- ---- policy.conf ---- policy { mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2}) rewrite.called_station_id { if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) { update request { Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } # SSID componment? if ("%{7}") { update request { Called-Station-Id := "%{request:Called-Station-Id}%{7}" } } updated } else { noop } } rewrite.calling_station_id { if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) { update request { Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } update control { Local-MAC-Address := "%{tolower:%{1}%{2}%{3}%{4}%{5}%{6}}" } updated } else { noop } } rewrite.quirk.wlc { if (NAS-IP-Address == 172.16.3.124 && NAS-Identifier == "wlc-01") { switch "%{Airespace-Wlan-Id}" { case "1" { update request { NAS-Port-Id := "eduroam" } } case "5" { update request { NAS-Port-Id := "UTILICOM" } } case "6" { update request { NAS-Port-Id := "BTOpenzone" } } case "7" { update request { NAS-Port-Id := "soas-wpa-psk" } } case { update request { NAS-Port-Id := "UNKNOWN" } } } if (Packet-Type == "Accounting-Request") { update request { NAS-Port-Type := "Wireless-802.11" Called-Station-Id := "%{Called-Station-Id}:%{NAS-Port-Id}" } switch "%{Tunnel-Private-Group-Id}" { case "140" { update request { Tunnel-Private-Group-Id := "btopenzone" } } case "128" { update request { Tunnel-Private-Group-Id := "eduroam" } } case "127" { update request { Tunnel-Private-Group-Id := "unauthorised" } } case "72" { update request { Tunnel-Private-Group-Id := "users-unmanaged" } } case "153" { update request { Tunnel-Private-Group-Id := "utilicom" } } case { update request { Tunnel-Private-Group-Id := "UNKNOWN" } } } } updated } else { noop } } validate_username { if (User-Name !~ /@/ && User-Name =~ /^[[:graph:]]+$/) { ok } elsif (User-Name !~ /@.*@/ && User-Name =~ /^[[:graph:]]*@[[:alnum:]-]+(\\.[[:alnum:]-]+)+$/) { ok } else { update reply { Reply-Message := "Invalid User-Name Syntax" } reject } } ldap-login { redundant-load-balance { ldap_login1 { $template ldap-failover } ldap_login2 { $template ldap-failover } } } ldap-lanwarden { redundant-load-balance { ldap_lanwarden1 { $template ldap-failover } ldap_lanwarden2 { $template ldap-failover } } } # RFC compliance eap-has-no-reply-message { if ((reply:EAP-Message)) { update reply { Reply-Message !* ANY } } } mac_auth { if (Realm == NULL && !(EAP-Message) && NAS-Port-Type == Ethernet \ && Service-Type == Call-Check \ && User-Name == "%{User-Password}" \ && User-Name =~ /^[0-9a-f]{12}$/i \ && Calling-Station-Id =~ /^([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})$/i \ && User-Name =~ /^%{1}%{2}%{3}%{4}%{5}%{6}$/i) { ok } else { noop } } lanwarden_vlan1 { update control { Tunnel-Private-Group-Id := "%{ldap_lanwarden1:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?(&(objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}" } if ((control:Tunnel-Private-Group-Id)) { ok } else { fail } } lanwarden_vlan2 { update control { Tunnel-Private-Group-Id := "%{ldap_lanwarden2:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?(&(objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}" } if ((control:Tunnel-Private-Group-Id)) { ok } else { fail } } lanwarden_vlan { if ((control:Ldap-UserDn)) { redundant-load-balance { lanwarden_vlan1 lanwarden_vlan2 } if (ok && control:Tunnel-Private-Group-Id != "") { update reply { Tunnel-Private-Group-Id := "%{control:Tunnel-Private-Group-Id}" } } else { noop } } else { noop } } client-info { if ((client:shortname)) { update request { NAS-Identifier := "%{client:shortname}" } } if ((client:vendor)) { update request { Huntgroup-Name := "%{client:vendor}" } } } testers { if ((User-Name == "testauth@soas.ac.uk" \ && NAS-IP-Address == 193.60.199.62 \ && NAS-Port == 1812) \ || (Connect-Info == "JANET Roaming test" \ && NAS-IP-Address == 127.0.0.1 \ && Calling-Station-Id == "02-00-00-00-00-01" \ && NAS-Port-Type == Wireless-802.11)) { update request { Hint := test Cleartext-Password := "%{config:local.test.password}" } } } } --------------------- ----- debug -X ------ rad_recv: Access-Request packet from host 2001:630:1:129::249 port 63536, id=88, length=212 User-Name = "foobar@soas.ac.uk" NAS-IP-Address = 10.6.0.12 NAS-Port = 2 NAS-Identifier = "10.6.0.11" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "001122334455" Called-Station-Id = "554433221100" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020900061500 State = 0xd53f4a5ed2365f22247722c7299e5713 Vendor-14823-Attr-5 = 0x656475726f616d Vendor-14823-Attr-6 = 0x426564666f7264537175617265415033 Message-Authenticator = 0x26f56bb65ab36c9e1e997b7abd6ff3a9 Proxy-State = 0x4f53432d457874656e6465642d49643d363030 server eduroam { # Executing section authorize from file /etc/freeradius/sites-enabled/dot1x +- entering group authorize {...} ++[preprocess] returns ok ++- entering policy testers {...} +++? if ((User-Name == "testauth@soas.ac.uk" && NAS-IP-Address == 193.60.199.62 && NAS-Port == 1812) || (Connect-Info == "JANET Roaming test" && NAS-IP-Address == 127.0.0.1 && Calling-Station-Id == "02-00-00-00-00-01" && NAS-Port-Type == Wireless-802.11)) ?? Evaluating (User-Name == "testauth@soas.ac.uk" ) -> FALSE ?? Skipping (NAS-IP-Address == 193.60.199.62 ) ?? Skipping (NAS-Port == 1812) (Attribute Connect-Info was not found) ?? Evaluating (Connect-Info == "JANET Roaming test" ) -> FALSE ?? Skipping (NAS-IP-Address == 127.0.0.1 ) ?? Skipping (Calling-Station-Id == "02-00-00-00-00-01" ) ?? Skipping (NAS-Port-Type == Wireless-802.11) +++? if ((User-Name == "testauth@soas.ac.uk" && NAS-IP-Address == 193.60.199.62 && NAS-Port == 1812) || (Connect-Info == "JANET Roaming test" && NAS-IP-Address == 127.0.0.1 && Calling-Station-Id == "02-00-00-00-00-01" && NAS-Port-Type == Wireless-802.11)) -> FALSE ++- policy testers returns ok ++? if ((Hint) && Hint == test && !(EAP-Message)) ?? Evaluating (Hint) -> FALSE ? Skipping (Hint == test ) ?? Skipping (EAP-Message) ++? if ((Hint) && Hint == test && !(EAP-Message)) -> FALSE ++? if (!(Hint) || Hint != test) ?? Evaluating (Hint) -> FALSE ? Converting !FALSE -> TRUE ? Skipping (Hint != test) ++? if (!(Hint) || Hint != test) -> TRUE ++- entering if (!(Hint) || Hint != test) {...} [attr_filter.eduroam-auth] expand: %{Realm} -> +++[attr_filter.eduroam-auth] returns noop ++- if (!(Hint) || Hint != test) returns noop ++- entering policy rewrite.called_station_id {...} +++? if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) ?? Evaluating (Called-Station-Id) -> TRUE expand: %{Called-Station-Id} -> 554433221100 expand: policy.mac-addr -> policy.mac-addr expand: ^%{config:policy.mac-addr}(:(.+))?$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$ ? Evaluating ("%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) -> TRUE +++? if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) -> TRUE +++- entering if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) {...} expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} -> 55-44-33-22-11-00 expand: %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> 55-44-33-22-11-00 ++++[request] returns noop ++++? if ("%{7}") expand: %{7} -> ? Evaluating ("%{7}") -> FALSE ++++? if ("%{7}") -> FALSE ++++[updated] returns updated +++- if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) returns updated +++ ... skipping else for request 105: Preceding "if" was taken ++- policy rewrite.called_station_id returns updated ++- entering policy rewrite.calling_station_id {...} +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) ?? Evaluating (Calling-Station-Id) -> TRUE expand: %{Calling-Station-Id} -> 001122334455 expand: policy.mac-addr -> policy.mac-addr expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$ ? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...} expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} -> 00-11-22-33-44-55 expand: %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> 00-11-22-33-44-55 ++++[request] returns updated expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001122334455 expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> 001122334455 ++++[control] returns updated ++++[updated] returns updated +++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns updated +++ ... skipping else for request 105: Preceding "if" was taken ++- policy rewrite.calling_station_id returns updated ++- entering policy client-info {...} +++? if ((client:shortname)) ?? Evaluating (client:shortname) -> TRUE +++? if ((client:shortname)) -> TRUE +++- entering if ((client:shortname)) {...} expand: %{client:shortname} -> jrs.2.v6 ++++[request] returns updated +++- if ((client:shortname)) returns updated +++? if ((client:vendor)) ?? Evaluating (client:vendor) -> TRUE +++? if ((client:vendor)) -> TRUE +++- entering if ((client:vendor)) {...} expand: %{client:vendor} -> ++++[request] returns updated +++- if ((client:vendor)) returns updated ++- policy client-info returns updated expand: local.MY.hostname -> local.MY.hostname expand: %{config:local.MY.hostname} -> chlorine.it.soas.ac.uk expand: local.MY.addr.v4 -> local.MY.addr.v4 expand: %{config:local.MY.addr.v4} -> 212.219.238.70 expand: local.MY.addr.v6 -> local.MY.addr.v6 expand: %{config:local.MY.addr.v6} -> 2001:630:1b:6003:90c0:802a:d873:c284 ++[reply] returns updated ++? if (!(EAP-Message)) ?? Evaluating (EAP-Message) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(EAP-Message)) -> FALSE ++? if (!(Calling-Station-Id)) ?? Evaluating (Calling-Station-Id) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(Calling-Station-Id)) -> FALSE ++? if (!(User-Name)) ?? Evaluating (User-Name) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name)) -> FALSE ++- entering policy validate_username {...} +++? if (User-Name !~ /@/ && User-Name =~ /^[[:graph:]]+$/) ? Evaluating (User-Name !~ /@/) -> FALSE ? Skipping (User-Name =~ /^[[:graph:]]+$/) +++? if (User-Name !~ /@/ && User-Name =~ /^[[:graph:]]+$/) -> FALSE +++? elsif (User-Name !~ /@.*@/ && User-Name =~ /^[[:graph:]]*@[[:alnum:]-]+(\\.[[:alnum:]-]+)+$/) ? Evaluating (User-Name !~ /@.*@/) -> TRUE ? Evaluating (User-Name =~ /^[[:graph:]]*@[[:alnum:]-]+(\\.[[:alnum:]-]+)+$/) -> TRUE +++? elsif (User-Name !~ /@.*@/ && User-Name =~ /^[[:graph:]]*@[[:alnum:]-]+(\\.[[:alnum:]-]+)+$/) -> TRUE +++- entering elsif (User-Name !~ /@.*@/ && User-Name =~ /^[[:graph:]]*@[[:alnum:]-]+(\\.[[:alnum:]-]+)+$/) {...} ++++[ok] returns ok +++- elsif (User-Name !~ /@.*@/ && User-Name =~ /^[[:graph:]]*@[[:alnum:]-]+(\\.[[:alnum:]-]+)+$/) returns ok +++ ... skipping else for request 105: Preceding "if" was taken ++- policy validate_username returns ok [suffix] Looking up realm "soas.ac.uk" for User-Name = "foobar@soas.ac.uk" [suffix] Found realm "soas.ac.uk" [suffix] Adding Stripped-User-Name = "foobar" [suffix] Adding Realm = "soas.ac.uk" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++? if (Realm != "%{config:local.MY.realm}") expand: local.MY.realm -> local.MY.realm expand: %{config:local.MY.realm} -> soas.ac.uk ? Evaluating (Realm != "%{config:local.MY.realm}") -> FALSE ++? if (Realm != "%{config:local.MY.realm}") -> FALSE [EAP] EAP packet type response id 9 length 6 [EAP] Continuing tunnel setup. ++[EAP] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/dot1x +- entering group EAP {...} [EAP] Request found, released from the list [EAP] EAP/ttls [EAP] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake is finished [ttls] eaptls_verify returned 3 [ttls] eaptls_process returned 3 [ttls] Using saved attributes from the original Access-Accept User-Name = "foobar@soas.ac.uk" Auth-Type = MSCHAP [ttls] Saving response in the cache [EAP] Freeing handler ++[EAP] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/dot1x +- entering group post-auth {...} ++? if (!(Hint) || Hint != test) ?? Evaluating (Hint) -> FALSE ? Converting !FALSE -> TRUE ? Skipping (Hint != test) ++? if (!(Hint) || Hint != test) -> TRUE ++- entering if (!(Hint) || Hint != test) {...} [sql.dot1x] expand: %{reply:User-Name} -> foobar@soas.ac.uk [sql.dot1x] expand: %{%{reply:User-Name}:-%{request:User-Name}} -> foobar@soas.ac.uk [sql.dot1x] sql_set_user escaped user --> 'foobar@soas.ac.uk' [sql.dot1x] expand: %{request:Packet-Src-IPv6-Address} -> 2001:630:1:129::249 [sql.dot1x] expand: %{NAS-Port} -> 2 [sql.dot1x] expand: %{reply:Auth-Type} -> MSCHAP [sql.dot1x] expand: INSERT INTO dot1x_auth ( timestamp, packet_src_address, user_name, realm, operator_name, nas_ip_address, nas_ipv6_address, nas_identifier, nas_port, nas_port_type, nas_port_id, called_station_id, calling_station_id, packet_type, eap_type, auth_type, tunnel_private_group_id, reply_message ) VALUES ( '%S'::timestamp, '%{%{request:Packet-Src-IPv6-Address}:-%{request:Packet-Src-IP-Address}}', '%{SQL-User-Name}', '%{request:Realm}', NULLIF('%{request:Operator-Name}', ''), NULLIF('%{request:NAS-IP-Address}', '')::inet, NULLIF('%{request:NAS-IPv6-Address}', '')::inet, '%{request:NAS-Identifier}', %{%{NAS-Port}:-NULL}::integer, '%{request:NAS-Port-Type}', NULLIF('%{request:NAS-Port-Id}',''), lower('%{request:Called-Station-Id}'), lower('%{request:Calling-Station-Id}'), '%{reply:Packet-Type}', '%{EAP-Type}', '%{%{reply:Auth-Type}:-%{control:Auth-Type}}', '%{reply:Tunnel-Private-Group-Id}', '%{reply:Reply-Message}' ) -> INSERT INTO! dot1x_auth ( timestamp, packet rlm_sql (sql.dot1x) in sql_postauth: query is INSERT INTO dot1x_auth ( timestamp, packet_src_address, user_name, realm, operator_name, nas_ip_address, nas_ipv6_address, nas_identifier, nas_port, nas_port_type, nas_port_id, called_station_id, calling_station_id, packet_type, eap_type, auth_type, tunnel_private_group_id, reply_message ) VALUES ( '2010-12-13 19:58:37'::timestamp, '2001:630:1:129::249', 'foobar@soas.ac.uk', 'soas.ac.uk', NULLIF('', ''), NULLIF('10.6.0.12', '')::inet, NULLIF('2001:630:1:129::249', '')::inet, 'jrs.2.v6', 2::integer, 'Wireless-802.11', NULLIF('',''), lower('55-44-33-22-11-00'), lower('00-11-22-33-44-55'), 'Access-Accept', 'EAP-TTLS', 'MSCHAP', '', '' ) rlm_sql (sql.dot1x): Reserving sql socket id: 4 rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: query affected rows = 1 rlm_sql (sql.dot1x): Released sql socket id: 4 +++[sql.dot1x] returns ok ++- if (!(Hint) || Hint != test) returns ok ++[reply] returns ok [attr_filter.eduroam-auth] expand: %{Realm} -> soas.ac.uk attr_filter: Matched entry DEFAULT at line 1 ++[attr_filter.eduroam-auth] returns updated ++- entering policy eap-has-no-reply-message {...} +++? if ((reply:EAP-Message)) ?? Evaluating (reply:EAP-Message) -> TRUE +++? if ((reply:EAP-Message)) -> TRUE +++- entering if ((reply:EAP-Message)) {...} ++++[reply] returns updated +++- if ((reply:EAP-Message)) returns updated ++- policy eap-has-no-reply-message returns updated } # server eduroam Sending Access-Accept of id 88 to 2001:630:1:129::249 port 63536 NAS-IP-Address = 212.219.238.70 NAS-IPv6-Address = 2001:630:1b:6003:90c0:802a:d873:c284 MS-MPPE-Recv-Key = 0xfc5dc29f224e5ee815ece548d5df7442e12427c0b0bb8a8dc12ad8c16aeef0e8 MS-MPPE-Send-Key = 0xd092db1e188db46ba35491c99a7f0f9634b3de43e992a4fa3b56f64e75a3eaa1 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x4f53432d457874656e6465642d49643d363030 Finished request 105. Going to the next request --------------------- -- Alexander Clouter .sigmonster says: Bo Derek ruined my life!
Hi, suggest you read the mailing list archives....theres a post related to this particular attrbute - as I had an issue with the default config which does nasty things when theres no NAS IP address - ie if the packet comes from an IPv6 NAS or proxy - basically, the unique key and the detail logs etc, by default use the NAS address as part of the hash or file path - which means that the radacct files end up all in one file in top directory of logging when source if from an IPv6. Alan pointed out what could be done regarding unlang and dealing with checking for the IPv6 attributes...which the code, indeed creates for you. very handy! ..so...someone else starting to use IPv6 properly? ;-) alan
Alexander Clouter wrote:
So, when NAS-IP(v6)-Address already exists, nothing happens, however if it does, then it an attribute with the contents of Packet-Src-IP(v6)-Address is added; obviously depending on the socket type the packet arrives over so I am guessing in practice you probably really only see this when communicating with IPv6 proxies? The problem is, I have not added this type of thing to my config.
The "preprocess" module does this. Alan DeKok.
participants (3)
-
Alan Buxey -
Alan DeKok -
Alexander Clouter