Dualstack NAS ignored by RADIUS server when using IPv4

Ondrej Famera famera at fi.muni.cz
Mon Feb 11 11:11:18 CET 2013 

Hello Bjørn,

On 02/11/2013 10:27 AM, Bjørn Mork wrote:
> Ondrej Famera <famera at fi.muni.cz> writes:
> 
>> freeRADIUS server:
>> radius.example.com
>> - IPv4: 10.0.0.1
>> - IPv6: 2001:a:b:c::1
>>
>> NAS device:
>> dev1.example.com
>> - IPv4: 10.0.0.2
>> - IPv6: 2001:a:b:c::2
>>
>> RADIUS nas table:
>>  id |         nasname   | shortname | type  | ports  |    secret     | community | description |    server    
>> ----+-------------------+-----------+-------+--------+---------------+-----------+-------------+--------------
>>   1 | dev1.example.com  |   dev1    | other | <NULL> | shared_secret | <NULL>    | <NULL>      | inner-tunnel
> 
> Never use DNS to identify a client.  A client is uniqueliy identified by
> its IP address.  Hiding this behind DNS is just confusing.  For example:
>  * You thought a single client with multiple IPs would work - It won't
>  * You might think that you can change the DNS entry without restarting
>    FreeRADIUS - you cannot
>  * You might think that you can configure a client without knowing its
>    address first - you cannot.
* I hoped that if i got reliable DNS with correct records then RADIUS would
resolve them the right way (either all of them or none) - but it resolves
only one of them

> 
>> By adding folloving to nas table it works:
>>  id |         nasname   | shortname | type  | ports  |    secret     | community | description |    server    
>> ----+-------------------+-----------+-------+--------+---------------+-----------+-------------+--------------
>>   2 | 10.0.0.2          |   dev1    | other | <NULL> | shared_secret | <NULL>    | <NULL>      | inner-tunnel
>>
>> ( it works as workaround but i think that it should work as well with hostname only )
> 
> That is not a "workaround".  It is the correct way to configure a
> client.  If you want to allow a client to use multiple addresses,
> then you need to add an entry for each address.
> 
> But you should really not do that.  Choose a single source address for
> each client.  This implies that you must choose a single address family.
> There is no such thing as a "dual stack RADIUS client".  Either you use
> IPv4 or you use IPv6.

- In my case the hard work is done by script which knows which devices should be put
into client table and puts them there based on their hostnames, 
- so as more correct approach i see that script would also do resolving hostnames 
to addresses before putting them in clients table. 
( i got list of hostnames, so the lazy approach is to use them if it's possible )

> This goes for *any* managment protocol. It's not some service you are
> providing to any random Internet client. You explicitly configure each
> end and you want to do that as precisely as possible.  Try configuring
> your BGP peers using DNS ans see how well that works...
> 
> 
> Bjørn
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

Thanks for quick response and clarification, 
the address-based approach now looks much better than before :)

-- 
Ondrej Famera
unix at fi

More information about the Freeradius-Users mailing list