FreeRadius + FreeBSD + ipv6

[Johann Hugo]

Hi

I'm busy with a FreeRadius Eduroam setup, but it only works with ipv4 and not
with ipv6.

My Setup:
wifi-client <--> my-FreeRadius-proxy <---> eduroam-proxy <---> remote-site

My server:
FreeBSD 8.1-STABLE with freeradius-2.1.10_1 that was build from the ports,
with ipv6 enabled.

Here is a list of things that I've noticed when I run radiusd -X

Regards
Johann

------------------------------------------------------------------------------------------------------------
1) FreeRadius with only an ipv4 listen section in radiusd.conf. (no ipv6)

#listen {
# type = auth
# ipv6addr = ::
# port = 0
#}

ganymede# sockstat | grep 1812
freeradius radiusd 61076 5 udp4 *:1812 *:*

FreeRadius tries to send Access-Request packets to the ipv6 address of edurom-
proxy-server (eduroam0.sanren.ac.za) when I use it's dns name in proxy.conf.

Sending Access-Request of id 172 to 2001:4200:ffff:14:5054:17ff:fe36:5d3d port
1812
User-Name = "nren_rad...@ru.ac.za"
NAS-IP-Address = 146.64.25.55
Called-Station-Id = "0016b6d9211b"
Calling-Station-Id = "0015af8e3baa"
NAS-Identifier = "0016b6d9211b"
NAS-Port = 31
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0200001e016e72656e5f7261646975735f746573744072752e61632e7a61
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x30

It works fine if I use the ipv4 address (no dns) for eduroam0.sanren.ac.za.

------------------------------------------------------------------------------------------------------------
2) FreeRadius with both an ipv4 and an ipv6 listen section in radiusd.conf.

listen {
type = auth
ipv6addr = ::
port = 0
}

ganymede# sockstat | grep 1812
freeradius radiusd 61076 5 udp4 *:1812 *:*
freeradius radiusd 61076 6 udp6 *:1812 *:*

Running radiusd -X I can see it tries to send out ipv6 requests.

Sending Access-Request of id 229 to 2001:4200:ffff:14:5054:17ff:fe36:5d3d port
1812
User-Name = "nren_rad...@ru.ac.za"
NAS-IP-Address = 146.64.25.55
Called-Station-Id = "0016b6d9211b"
Calling-Station-Id = "0015af8e3baa"
NAS-Identifier = "0016b6d9211b"
NAS-Port = 31
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0201001e016e72656e5f7261646975735f746573744072752e61632e7a61
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x30

But I don't see anyting with tcpdump. After a while I get the following
message in radiusd:

WARNING: Internal sanity check failed in event handler for request 13:
Discarding the request!
Ready to process requests.

------------------------------------------------------------------------------------------------------------
3) FreeRadius with both an ipv4 and an ipv6 listen section in radiusd.conf,
but with a specific ipv6 address configured.

listen {
type = auth
ipv6addr = 2001:4200:ffff:14:5054:17ff:fe36:5d3d
port = 0
}

radiusd -X stops with the following error:

Failed binding to authentication address 2001:4200:ffff:14:5054:17ff:fe36:5d3d
port 1812: Can't assign requested address
/usr/local/etc/raddb/radiusd.conf[32]: Error binding to port for
2001:4200:ffff:14:5054:17ff:fe36:5d3d port 1812

-----------------------------------------------------------------------------------------------------------------

## radiusd.conf -- FreeRADIUS server configuration file.
######################################################################

prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct

name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/local/lib/freeradius-2.1.9
pidfile = ${run_dir}/${name}.pid
user = freeradius
group = freeradius
max_request_time = 30
cleanup_delay = 5
max_requests = 1024

listen {
type = auth
ipaddr = *
port = 0
}

listen {
type = auth
#ipaddr = *
ipv6addr = ::
#ipv6addr = 2001:4200:ffff:14:5054:17ff:fe36:5d3d
port = 0
}

listen {
type = acct
ipaddr = *
# ipv6addr = ::
port = 0
}

hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes

log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}

checkrad = ${sbindir}/checkrad

security {
max_attributes = 200
reject_delay = 1
status_server = no
}

proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf

thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}

modules {
$INCLUDE ${confdir}/modules/
$INCLUDE ${confdir}/eap.conf
}

instantiate {
exec
expr
expiration
logintime
}

$INCLUDE policy.conf
$INCLUDE sites-enabled/

######################################################################
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[Johann Hugo]

On Monday, December 06, 2010 11:58:21 am Thorsten Fischer wrote:
> Excerpts from Johann Hugo's message of Mon Dec 06 09:41:40 +0000 2010:

> > listen {
> >
> > type = auth
> > #ipaddr = *
> > ipv6addr = ::

> > #ipv6addr = 2001:4200:7000:1:21c:c0ff:fefb:dc67
> > port = 0
> >
> > }
> >
> > radius -X
> > ...
> > Listening on authentication address * port 1812
> > Listening on authentication address :: port 1812
>
> Does it work for you if you bind both, v4 and v6 sockets to specific
> addresses? I havea a vague recollection that there might be a problem
> with that, but I cannot find a reference at the moment.
>

It works for ipv4, but not for ipv6

IPv4:

listen {
type = auth
#ipaddr = *

ipaddr = 146.64.8.17
port = 0
}

radius -X
...
Listening on authentication address 146.64.8.17 port 1812
Listening on authentication address :: port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address 146.64.8.17 port 1814
Ready to process requests.

IPv6:

listen {
type = auth
#ipaddr = *

#ipv6addr = ::
ipv6addr = 2001:4200:7000:1:21c:c0ff:fefb:dc67
port = 0
}

radius -X
...
Failed binding to authentication address 2001:4200:7000:1:21c:c0ff:fefb:dc67

port 1812: Can't assign requested address

/usr/local/etc/raddb/radiusd.conf[31]: Error binding to port for
2001:4200:7000:1:21c:c0ff:fefb:dc67 port 1812

[Alan Buxey]

Hi,

> > Listening on authentication address * port 1812
> > Listening on authentication address :: port 1812
>
> Does it work for you if you bind both, v4 and v6 sockets to specific
> addresses? I havea a vague recollection that there might be a problem
> with that, but I cannot find a reference at the moment.

ISTR that you cannot listen to v4 and v6 in the same virtual server -
setup a new VS with ipv6 listener - its what we do here successfully

alan

[Alan DeKok]

Alan Buxey wrote:
> ISTR that you cannot listen to v4 and v6 in the same virtual server -

Hmm... There shouldn't be a problem with that.

Alan DeKok.

[Alan DeKok]

Johann Hugo wrote:
> radius -X
> ...
> Failed binding to authentication address 2001:4200:7000:1:21c:c0ff:fefb:dc67
> port 1812: Can't assign requested address

Try and find out why the OS won't let the server bind to that address.

See also the code in src/main/listen.c Maybe there's an issue parsing
the IP?

[Alan Buxey]

Hi,

> > ISTR that you cannot listen to v4 and v6 in the same virtual server -
>
> Hmm... There shouldn't be a problem with that.

dont shoot me, I'm just the messenger! :-)

from the current supplied default config file

# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
# wildcard (*)
ipaddr = *

# OR, you can use an IPv6 address, but not both
# at the same time.
# ipv6addr = :: # any. ::1 == localhost

alan

[Johann Hugo]

On Monday, December 06, 2010 02:05:14 pm Alan DeKok wrote:
> Johann Hugo wrote:
> > radius -X
> > ...
> > Failed binding to authentication address
> > 2001:4200:7000:1:21c:c0ff:fefb:dc67 port 1812: Can't assign requested
> > address
>
> Try and find out why the OS won't let the server bind to that address.
>
> See also the code in src/main/listen.c Maybe there's an issue parsing
> the IP?

Thanks, but I'm not that good with C code.

What I did noticed, is that it works if I specify my link local address:
ipv6addr = fe80::21c:c0ff:fefb:dc67%em0

Johann

[Johann Hugo]

On Monday, December 06, 2010 03:24:28 pm Alan Buxey wrote:
> Hi,
>
> > > ISTR that you cannot listen to v4 and v6 in the same virtual server -
> > >
> > Hmm... There shouldn't be a problem with that.
>
> dont shoot me, I'm just the messenger! :-)
>
> from the current supplied default config file
>
>
> # IP address on which to listen.
> # Allowed values are:
> # dotted quad (1.2.3.4)
> # hostname (radius.example.com)
> # wildcard (*)
> ipaddr = *
>
> # OR, you can use an IPv6 address, but not both
> # at the same time.

>From some other examples that I found it looks like you cannot have both of
them in the same listen section, you need to have two separate listen sections
in radiusd.conf

listen {
type = auth
ipaddr = *
port = 0
}

listen {
type = auth

ipv6addr = ::
port = 0
}

Johann

[Alan DeKok]

Alan Buxey wrote:
> dont shoot me, I'm just the messenger! :-)

...

> # IP address on which to listen.
> # Allowed values are:
> # dotted quad (1.2.3.4)
> # hostname (radius.example.com)
> # wildcard (*)
> ipaddr = *
>
> # OR, you can use an IPv6 address, but not both
> # at the same time.

> # ipv6addr = :: # any. ::1 == localhost

I'll clarify that: A network socket can only listen on one IP/port.

You can't have one socket listening on two UDP ports, or two TCP
ports, or two IP addresses.

You *can* have two sockets pointing to the same virtual server. i.e.
the following config works Just Fine:

listen {
...
ipaddr = x
...
server = Y
}
listen {
...
ipv6addr = a:b::c::d
server = Y
}

Alan DeKok.