FreeRadius + FreeBSD + ipv6

Johann Hugo jhugo at meraka.csir.co.za
Mon Dec 6 10:01:09 CET 2010 

Hi 

I'm busy with a FreeRadius Eduroam setup, but it only works with ipv4 and not 
with ipv6. 

My Setup:
wifi-client <--> my-FreeRadius-proxy <---> eduroam-proxy <---> remote-site

My server:
FreeBSD 8.1-STABLE with freeradius-2.1.10_1 that was build from the ports, 
with ipv6 enabled.

Here is a list of things that I've noticed when I run radiusd -X

Regards
Johann


------------------------------------------------------------------------------------------------------------
1) FreeRadius with only an ipv4 listen section in radiusd.conf. (no ipv6)

#listen {
#       type = auth
#       ipv6addr = ::
#        port = 0
#}

ganymede# sockstat | grep 1812
freeradius radiusd  61076 5  udp4   *:1812                *:*

FreeRadius tries to send Access-Request packets to the ipv6 address of edurom-
proxy-server (eduroam0.sanren.ac.za) when I use it's dns name in proxy.conf.

Sending Access-Request of id 172 to 2001:4200:ffff:14:5054:17ff:fe36:5d3d port 
1812
        User-Name = "nren_radius_test at ru.ac.za"
        NAS-IP-Address = 146.64.25.55
        Called-Station-Id = "0016b6d9211b"
        Calling-Station-Id = "0015af8e3baa"
        NAS-Identifier = "0016b6d9211b"
        NAS-Port = 31
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 
0x0200001e016e72656e5f7261646975735f746573744072752e61632e7a61
        Message-Authenticator = 0x00000000000000000000000000000000
        Proxy-State = 0x30

It works fine if I use the ipv4 address (no dns) for eduroam0.sanren.ac.za.




------------------------------------------------------------------------------------------------------------
2) FreeRadius with both an ipv4 and an ipv6 listen section in radiusd.conf.

listen {
        type = auth
        ipv6addr = ::
        port = 0
}

ganymede# sockstat | grep 1812
freeradius radiusd  61076 5  udp4   *:1812                *:*
freeradius radiusd  61076 6  udp6   *:1812                *:*

Running radiusd -X I can see it tries to send out ipv6 requests.

Sending Access-Request of id 229 to 2001:4200:ffff:14:5054:17ff:fe36:5d3d port 
1812
        User-Name = "nren_radius_test at ru.ac.za"
        NAS-IP-Address = 146.64.25.55
        Called-Station-Id = "0016b6d9211b"
        Calling-Station-Id = "0015af8e3baa"
        NAS-Identifier = "0016b6d9211b"
        NAS-Port = 31
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 
0x0201001e016e72656e5f7261646975735f746573744072752e61632e7a61
        Message-Authenticator = 0x00000000000000000000000000000000
        Proxy-State = 0x30

But I don't see anyting with tcpdump. After a while I get the following 
message in radiusd:

WARNING: Internal sanity check failed in event handler for request 13: 
Discarding the request!
Ready to process requests.



------------------------------------------------------------------------------------------------------------
3) FreeRadius with both an ipv4 and an ipv6 listen section in radiusd.conf, 
but with a specific ipv6 address configured.

listen {
        type = auth
        ipv6addr = 2001:4200:ffff:14:5054:17ff:fe36:5d3d
        port = 0
}

radiusd -X stops with the following error:

Failed binding to authentication address 2001:4200:ffff:14:5054:17ff:fe36:5d3d 
port 1812: Can't assign requested address 
/usr/local/etc/raddb/radiusd.conf[32]: Error binding to port for 
2001:4200:ffff:14:5054:17ff:fe36:5d3d port 1812




-----------------------------------------------------------------------------------------------------------------


## radiusd.conf -- FreeRADIUS server configuration file.
######################################################################

prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct

name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/local/lib/freeradius-2.1.9
pidfile = ${run_dir}/${name}.pid
user = freeradius
group = freeradius
max_request_time = 30
cleanup_delay = 5
max_requests = 1024

listen {
        type = auth
        ipaddr = *
        port = 0
}

listen {
        type = auth
        #ipaddr = *
        ipv6addr = ::
        #ipv6addr = 2001:4200:ffff:14:5054:17ff:fe36:5d3d
        port = 0
}

listen {
        type = acct
        ipaddr = *
#       ipv6addr = ::
        port = 0
}

hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes

log {
        destination = files
        file = ${logdir}/radius.log
        syslog_facility = daemon
        stripped_names = no
        auth = no
        auth_badpass = no
        auth_goodpass = no
}

checkrad = ${sbindir}/checkrad

security {
        max_attributes = 200
        reject_delay = 1
        status_server = no
}

proxy_requests  = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf

thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}

modules {
        $INCLUDE ${confdir}/modules/
        $INCLUDE ${confdir}/eap.conf
}

instantiate {
        exec
        expr
        expiration
        logintime
}

$INCLUDE policy.conf
$INCLUDE sites-enabled/

######################################################################

More information about the Freeradius-Users mailing list