Dualstack NAS ignored by RADIUS server when using IPv4

Bjørn Mork bjorn at mork.no
Mon Feb 11 10:27:39 CET 2013 

Ondrej Famera <famera at fi.muni.cz> writes:

> freeRADIUS server:
> radius.example.com
> - IPv4: 10.0.0.1
> - IPv6: 2001:a:b:c::1
>
> NAS device:
> dev1.example.com
> - IPv4: 10.0.0.2
> - IPv6: 2001:a:b:c::2
>
> RADIUS nas table:
>  id |         nasname   | shortname | type  | ports  |    secret     | community | description |    server    
> ----+-------------------+-----------+-------+--------+---------------+-----------+-------------+--------------
>   1 | dev1.example.com  |   dev1    | other | <NULL> | shared_secret | <NULL>    | <NULL>      | inner-tunnel

Never use DNS to identify a client.  A client is uniqueliy identified by
its IP address.  Hiding this behind DNS is just confusing.  For example:
 * You thought a single client with multiple IPs would work - It won't
 * You might think that you can change the DNS entry without restarting
   FreeRADIUS - you cannot
 * You might think that you can configure a client without knowing its
   address first - you cannot.

> By adding folloving to nas table it works:
>  id |         nasname   | shortname | type  | ports  |    secret     | community | description |    server    
> ----+-------------------+-----------+-------+--------+---------------+-----------+-------------+--------------
>   2 | 10.0.0.2          |   dev1    | other | <NULL> | shared_secret | <NULL>    | <NULL>      | inner-tunnel
>
> ( it works as workaround but i think that it should work as well with hostname only )

That is not a "workaround".  It is the correct way to configure a
client.  If you want to allow a client to use multiple addresses,
then you need to add an entry for each address.

But you should really not do that.  Choose a single source address for
each client.  This implies that you must choose a single address family.
There is no such thing as a "dual stack RADIUS client".  Either you use
IPv4 or you use IPv6.

This goes for *any* managment protocol. It's not some service you are
providing to any random Internet client. You explicitly configure each
end and you want to do that as precisely as possible.  Try configuring
your BGP peers using DNS ans see how well that works...


Bjørn

More information about the Freeradius-Users mailing list