Project

General

Profile

Actions

Feature #4154

closed

Support for RADIUS authentication over IPv6

Added by Kill Bill over 9 years ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Category:
User Manager / Privileges
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.01
Release Notes:
Default

Description

Following https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory - this does not work if the RADIUS server is specified as IPv6 (whether FQDN or IP does not matter). Authentication works as soon as IPv4 address is specified for the RADIUS server. (Tested on latest 2.2 snapshot, though I recall this pretty much never worked even with 2.1.x).

Actions #1

Updated by Jim Pingle over 9 years ago

  • Status changed from New to Confirmed

Just tried this and I'm seeing the same thing against FreeRADIUS2. The IPv6 RADIUS request never leaves the client host if it's 2.2. The client 2.2 host and the RADIUS server have connectivity to each other, can ping6, etc, but a RADIUS request using IPv6 never leaves. IPv4 works fine.

Actions #2

Updated by Kill Bill over 9 years ago

Yep, it just seems to vanish somewhere. :) I deleted the client on the Windows server, and nothing logged. normally, you'd get "A RADIUS message was received from the invalid RADIUS client IP address..." error since the client is not authorized (and you get exactly that when you try via IPv4) - but as you said, with IPv6 no request reaches the server.

Actions #3

Updated by Ermal Luçi over 9 years ago

libradius is v4 only for now.
Hence the issue, i think this should be pushed post 2.2 to really be fixed.

Actions #4

Updated by Kill Bill over 9 years ago

Ermal Luçi wrote:

Hence the issue, i think this should be pushed post 2.2 to really be fixed.

Well, whatever is needed... however, this should be noted somewhere in the GUI (or reject IPv6 input), plus if you put a hostname there, it should filter out AAAA records when resolved because otherwise it just blackholes the requests as well.

Actions #5

Updated by Jim Pingle over 9 years ago

  • Target version changed from 2.2 to 2.2.1

FYI- This was the same on pfSense 2.1. It doesn't send out IPv6 RADIUS requests either. So at least it's not a regression.

This can probably be nudged off to at least 2.2.1 for that reason.

Actions #6

Updated by Chris Buechler over 9 years ago

  • Affected Version changed from 2.2 to All
Actions #7

Updated by Chris Buechler over 9 years ago

  • Target version changed from 2.2.1 to 2.2.2
Actions #8

Updated by Chris Buechler over 9 years ago

  • Target version changed from 2.2.2 to 2.2.3
Actions #9

Updated by Chris Buechler about 9 years ago

  • Target version changed from 2.2.3 to 2.3
Actions #10

Updated by Chris Buechler almost 9 years ago

  • Target version changed from 2.3 to Future

The underlying RADIUS pieces still don't support IPv6.

I believe this is the root cause of this issue.
https://bugs.php.net/bug.php?id=59619

Actions #11

Updated by Jim Thompson over 8 years ago

  • Assignee set to Renato Botelho
Actions #12

Updated by Kill Bill over 7 years ago

After wasting my time once again with hitting the same issue and seeing the total ignorance of the issue by PHP devs, I'd say IPv6 should be refused as input at least.

https://github.com/pfsense/pfsense/pull/3555

Actions #13

Updated by Renato Botelho about 2 years ago

  • Assignee deleted (Renato Botelho)
Actions #14

Updated by Christian McDonald almost 2 years ago

  • Status changed from Confirmed to Feedback
  • Assignee set to Christian McDonald
  • Target version changed from Future to CE-Next
  • Plus Target Version set to Plus-Next
  • Release Notes set to Default
Actions #15

Updated by Jim Pingle almost 2 years ago

  • Status changed from Feedback to New

The UI allows adding the IPv6 RADIUS server after that change but it does not appear to be working from PHP auth. No IPv6 packets are sent to the RADIUS server.

The RADIUS server is listening on IPv6 and accepts and authenticates test connections using radtest, so it appears there is still something left to do on the PHP side.

Actions #16

Updated by Jim Pingle almost 2 years ago

  • Status changed from New to Resolved
  • Target version changed from CE-Next to 2.7.0
  • Start date deleted (12/27/2014)
  • Plus Target Version changed from Plus-Next to 22.11

Tried it again after going over all the rules and such on both sides and it worked so it must have been in my setup.

Not sure why I never saw the packets leave or states made at first, though, but it's working now and I see two-way traffic.

Actions #17

Updated by Jim Pingle almost 2 years ago

  • Plus Target Version changed from 22.11 to 23.01
Actions #18

Updated by Jim Pingle about 1 year ago

  • Tracker changed from Bug to Feature
  • Subject changed from RADIUS authentication not working over IPv6 to Support for RADIUS authentication over IPv6
  • % Done changed from 0 to 100
  • Affected Version deleted (All)
  • Affected Architecture deleted (All)
Actions

Also available in: Atom PDF