Bug in proxy code with IPv6?
Stefan Winter
stefan.winter at restena.lu
Wed May 11 15:04:54 CEST 2011
Hello,
this is about 2.1.10. In my proxy.conf, I have two clauses for a host (
see [1] and [2] below), once with ipaddr for IPv4 and once with ipv6addr
for IPv6.
If I set the pool to use the IPv4 one (see [3]) , packets get proxied
just fine. If I replace with IPv6, no packet leaves the server (i.e.
tcpdump on the FR machine sees no packet leaving) [4].
With tcpdump not seeing anything, I'm pretty sure that something's wrong
inside FR - i.e. not a firewall problem. Host firewall is off anyway.
In -X [5], the server *says* it's going to proxy the packet, but a
simultaneous tcpdump just doesn't see it, and there's no auth happening.
As soon as I change the proxy pool definition back to the v4 variant,
things start working again.
That's a bit strange...
Greetings,
Stefan Winter
[1] IPv4 proxy definition:
home_server radius-int-1-v4 {
type = auth+acct
ipaddr = 158.64.X.Y
port = 1812
secret = ...............
response_window = 20
zombie_period = 40
revive_interval = 60
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
[2] IPv6 proxy defintiion:
home_server radius-int-1-v6 {
type = auth+acct
ipv6addr = 2001:a18:X:Y::Z
port = 1812
secret = ..................
response_window = 20
zombie_period = 40
revive_interval = 60
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
[3] working pool (the non-working one only replaces -v4 with -v6):
home_server_pool RESTENA-internal {
type = fail-over
home_server = radius-int-1-v4
home_server = ... more servers ...
}
[4] access point tries to auth user, packet goes into FR server, but
nothing leaves; in non-proxy operation, server works nicely, see
Status-Server reply:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:45:50.592669 IP ap-2.rest.restena.lu.csd-monitor >
galadriel.restena.lu.radius: RADIUS, Access Request (1), id: 0x24
length: 226
14:45:54.644141 IP ap-2.rest.restena.lu.csd-monitor >
galadriel.restena.lu.radius: RADIUS, Access Request (1), id: 0x44
length: 226
14:45:55.590066 IP ap-2.rest.restena.lu.csd-monitor >
galadriel.restena.lu.radius: RADIUS, Access Request (1), id: 0x24
length: 226
14:45:56.985799 IP haldir.restena.lu.59546 >
galadriel.restena.lu.radius: RADIUS, Status Server (12), id: 0x00 length: 38
14:45:56.986208 IP galadriel.restena.lu.radius >
haldir.restena.lu.59546: RADIUS, Access Accept (2), id: 0x00 length: 20
[5] -X:
Ready to process requests.
rad_recv: Access-Request packet from host 158.64.A.B port 3072, id=126,
length=226
User-Name = "certuser-2010-001 at restena.lu"
Service-Type = Framed-User
NAS-IP-Address = 158.64.A.B
NAS-Port = 3
NAS-Port-Id = "3"
Called-Station-Id = "00-A0-57-16-91-27:eduroam-restena"
Calling-Station-Id = "64-B9-E8-A0-2E-A4"
Connect-Info = "CONNECT 54 Mbps 802.11g"
NAS-Identifier = "ap-2.rest"
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1500
EAP-Message =
0x020100210163657274757365722d323031302d3030314072657374656e612e6c75
Message-Authenticator = 0x181d5b6f8959d9d079807ea00c77bcbc
server eduroam {
# Executing section authorize from file
/usr/local/freeradius/config//raddb/sites-enabled/eduroam
+- entering group authorize {...}
++[request] returns notfound
[auth_log] expand:
/var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/auth-detail
-> /var/log/radius/radacct/20110511/eduroam-lu-service/auth-detail
[auth_log]
/var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/auth-detail
expands to /var/log/radius/radacct/20110511/eduroam-lu-service/auth-detail
[auth_log] expand: %t -> Wed May 11 14:57:05 2011
++[auth_log] returns ok
[suffix] Looking up realm "restena.lu" for User-Name =
"certuser-2010-001 at restena.lu"
[suffix] Found realm "restena.lu"
[suffix] Adding Realm = "restena.lu"
[suffix] Proxying request from user certuser-2010-001 to realm restena.lu
[suffix] Preparing to proxy authentication request to realm "restena.lu"
++[suffix] returns updated
} # server eduroam
# Executing section pre-proxy from file
/usr/local/freeradius/config//raddb/sites-enabled/eduroam
+- entering group pre-proxy {...}
++- entering policy cui_pre-proxy {...}
+++? if (Packet-Type == Access-Request)
? Evaluating (Packet-Type == Access-Request) -> TRUE
+++? if (Packet-Type == Access-Request) -> TRUE
+++- entering if (Packet-Type == Access-Request) {...}
expand: modules.sql[cui].sp_operator_name ->
modules.sql[cui].sp_operator_name
expand: 1%{config:modules.sql[cui].sp_operator_name} -> 1restena.lu
++++[proxy-request] returns noop
+++- if (Packet-Type == Access-Request) returns noop
++- policy cui_pre-proxy returns noop
[pre_proxy_log] expand:
/var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/pre-proxy-detail
-> /var/log/radius/radacct/20110511/eduroam-lu-service/pre-proxy-detail
[pre_proxy_log]
/var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/pre-proxy-detail
expands to
/var/log/radius/radacct/20110511/eduroam-lu-service/pre-proxy-detail
[pre_proxy_log] expand: %t -> Wed May 11 14:57:05 2011
++[pre_proxy_log] returns ok
++? if (Packet-Type != Accounting-Request)
? Evaluating (Packet-Type != Accounting-Request) -> FALSE
++? if (Packet-Type != Accounting-Request) -> FALSE
Sending Access-Request of id 235 to 2001:a18:X:Y::Z port 1812
User-Name = "certuser-2010-001 at restena.lu"
Service-Type = Framed-User
NAS-IP-Address = 158.64.A.B
NAS-Port = 3
NAS-Port-Id = "3"
Called-Station-Id = "00-A0-57-16-91-27:eduroam-restena"
Calling-Station-Id = "64-B9-E8-A0-2E-A4"
Connect-Info = "CONNECT 54 Mbps 802.11g"
NAS-Identifier = "ap-2.rest"
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1500
EAP-Message =
0x020100210163657274757365722d323031302d3030314072657374656e612e6c75
Message-Authenticator = 0x00000000000000000000000000000000
RESTENA-Service-Type = "eduroam-lu"
Proxy-State = 0x313236
Chargeable-User-Identity = ""
Operator-Name = "1restena.lu"
Proxying request 0 to home server 2001:a18:X:Y::Z port 1812
Sending Access-Request of id 235 to 2001:a18:X:Y::Z port 1812
User-Name = "certuser-2010-001 at restena.lu"
Service-Type = Framed-User
NAS-IP-Address = 158.64.A.B
NAS-Port = 3
NAS-Port-Id = "3"
Called-Station-Id = "00-A0-57-16-91-27:eduroam-restena"
Calling-Station-Id = "64-B9-E8-A0-2E-A4"
Connect-Info = "CONNECT 54 Mbps 802.11g"
NAS-Identifier = "ap-2.rest"
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1500
EAP-Message =
0x020100210163657274757365722d323031302d3030314072657374656e612e6c75
Message-Authenticator = 0x00000000000000000000000000000000
RESTENA-Service-Type = "eduroam-lu"
Proxy-State = 0x313236
Chargeable-User-Identity = ""
Operator-Name = "1restena.lu"
Going to the next request
Waking up in 0.9 seconds.
Waking up in 19.0 seconds.
tcpdump: incoming from the AP, but no outgoing traffic. Just a few
retries from AP.
14:57:05.912601 IP (tos 0x0, ttl 57, id 40049, offset 0, flags [none],
proto UDP (17), length 254)
ap-2.rest.restena.lu.csd-monitor > galadriel.restena.lu.radius: [udp sum
ok] RADIUS, length: 226
Access Request (1), id: 0x7e, Authenticator:
3f3f3f3fbf7f9fef578be5d2e9542a15
Username Attribute (1), length: 30, Value: certuser-2010-001 at restena.lu
0x0000: 6365 7274 7573 6572 2d32 3031 302d 3030
0x0010: 3140 7265 7374 656e 612e 6c75
Service Type Attribute (6), length: 6, Value: Framed
0x0000: 0000 0002
NAS IP Address Attribute (4), length: 6, Value: ap-2.rest.restena.lu
0x0000: 9e40 3322
NAS Port Attribute (5), length: 6, Value: 3
0x0000: 0000 0003
NAS Port ID Attribute (87), length: 3, Value: 3
0x0000: 33
Called Station Attribute (30), length: 35, Value:
00-A0-57-16-91-27:eduroam-restena
0x0000: 3030 2d41 302d 3537 2d31 362d 3931 2d32
0x0010: 373a 6564 7572 6f61 6d2d 7265 7374 656e
0x0020: 61
Calling Station Attribute (31), length: 19, Value: 64-B9-E8-A0-2E-A4
0x0000: 3634 2d42 392d 4538 2d41 302d 3245 2d41
0x0010: 34
Connect Info Attribute (77), length: 25, Value: CONNECT 54 Mbps 802.11g
0x0000: 434f 4e4e 4543 5420 3534 204d 6270 7320
0x0010: 3830 322e 3131 67
NAS ID Attribute (32), length: 11, Value: ap-2.rest
0x0000: 6170 2d32 2e72 6573 74
NAS Port Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11
0x0000: 0000 0013
Framed MTU Attribute (12), length: 6, Value: 1500
0x0000: 0000 05dc
EAP Message Attribute (79), length: 35, Value: ..
0x0000: 0201 0021 0163 6572 7475 7365 722d 3230
0x0010: 3130 2d30 3031 4072 6573 7465 6e61 2e6c
0x0020: 75
Message Authentication Attribute (80), length: 18, Value: ..[o.Y..y�~..w..
0x0000: 181d 5b6f 8959 d9d0 7980 7ea0 0c77 bcbc
14:57:09.937572 IP (tos 0x0, ttl 57, id 40050, offset 0, flags [none],
proto UDP (17), length 254)
ap-2.rest.restena.lu.csd-monitor > galadriel.restena.lu.radius: [udp sum
ok] RADIUS, length: 226
Access Request (1), id: 0x2a, Authenticator:
15aa550a8562b1783c1e0f2733b9fc7e
Username Attribute (1), length: 30, Value: certuser-2010-001 at restena.lu
0x0000: 6365 7274 7573 6572 2d32 3031 302d 3030
0x0010: 3140 7265 7374 656e 612e 6c75
Service Type Attribute (6), length: 6, Value: Framed
0x0000: 0000 0002
NAS IP Address Attribute (4), length: 6, Value: ap-2.rest.restena.lu
0x0000: 9e40 3322
NAS Port Attribute (5), length: 6, Value: 3
0x0000: 0000 0003
NAS Port ID Attribute (87), length: 3, Value: 3
0x0000: 33
Called Station Attribute (30), length: 35, Value:
00-A0-57-16-91-27:eduroam-restena
0x0000: 3030 2d41 302d 3537 2d31 362d 3931 2d32
0x0010: 373a 6564 7572 6f61 6d2d 7265 7374 656e
0x0020: 61
Calling Station Attribute (31), length: 19, Value: 64-B9-E8-A0-2E-A4
0x0000: 3634 2d42 392d 4538 2d41 302d 3245 2d41
0x0010: 34
Connect Info Attribute (77), length: 25, Value: CONNECT 54 Mbps 802.11g
0x0000: 434f 4e4e 4543 5420 3534 204d 6270 7320
0x0010: 3830 322e 3131 67
NAS ID Attribute (32), length: 11, Value: ap-2.rest
0x0000: 6170 2d32 2e72 6573 74
NAS Port Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11
0x0000: 0000 0013
Framed MTU Attribute (12), length: 6, Value: 1500
0x0000: 0000 05dc
EAP Message Attribute (79), length: 35, Value: ..
0x0000: 0202 0021 0163 6572 7475 7365 722d 3230
0x0010: 3130 2d30 3031 4072 6573 7465 6e61 2e6c
0x0020: 75
Message Authentication Attribute (80), length: 18, Value: yVD........P.H{
0x0000: 7956 447f b7f5 c70d 8af0 1715 50e5 487b
14:57:10.910074 IP (tos 0x0, ttl 57, id 40051, offset 0, flags [none],
proto UDP (17), length 254)
ap-2.rest.restena.lu.csd-monitor > galadriel.restena.lu.radius: [udp sum
ok] RADIUS, length: 226
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110511/769dd28b/attachment.pgp>
More information about the Freeradius-Users
mailing list