Project

General

Profile

Bug #4154

RADIUS authentication not working over IPv6

Added by Kill Bill over 2 years ago. Updated 5 months ago.

Status:
Confirmed
Priority:
Normal
Category:
User manager
Target version:
Start date:
12/27/2014
Due date:
% Done:

0%

Affected version:
All
Affected Architecture:
All

Description

Following https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory - this does not work if the RADIUS server is specified as IPv6 (whether FQDN or IP does not matter). Authentication works as soon as IPv4 address is specified for the RADIUS server. (Tested on latest 2.2 snapshot, though I recall this pretty much never worked even with 2.1.x).

History

#1 Updated by Jim Pingle over 2 years ago

  • Status changed from New to Confirmed

Just tried this and I'm seeing the same thing against FreeRADIUS2. The IPv6 RADIUS request never leaves the client host if it's 2.2. The client 2.2 host and the RADIUS server have connectivity to each other, can ping6, etc, but a RADIUS request using IPv6 never leaves. IPv4 works fine.

#2 Updated by Kill Bill over 2 years ago

Yep, it just seems to vanish somewhere. :) I deleted the client on the Windows server, and nothing logged. normally, you'd get "A RADIUS message was received from the invalid RADIUS client IP address..." error since the client is not authorized (and you get exactly that when you try via IPv4) - but as you said, with IPv6 no request reaches the server.

#3 Updated by Ermal Luçi over 2 years ago

libradius is v4 only for now.
Hence the issue, i think this should be pushed post 2.2 to really be fixed.

#4 Updated by Kill Bill over 2 years ago

Ermal Luçi wrote:

Hence the issue, i think this should be pushed post 2.2 to really be fixed.

Well, whatever is needed... however, this should be noted somewhere in the GUI (or reject IPv6 input), plus if you put a hostname there, it should filter out AAAA records when resolved because otherwise it just blackholes the requests as well.

#5 Updated by Jim Pingle over 2 years ago

  • Target version changed from 2.2 to 2.2.1

FYI- This was the same on pfSense 2.1. It doesn't send out IPv6 RADIUS requests either. So at least it's not a regression.

This can probably be nudged off to at least 2.2.1 for that reason.

#6 Updated by Chris Buechler over 2 years ago

  • Affected version changed from 2.2 to All

#7 Updated by Chris Buechler over 2 years ago

  • Target version changed from 2.2.1 to 2.2.2

#8 Updated by Chris Buechler over 2 years ago

  • Target version changed from 2.2.2 to 2.2.3

#9 Updated by Chris Buechler about 2 years ago

  • Target version changed from 2.2.3 to 2.3

#10 Updated by Chris Buechler almost 2 years ago

  • Target version changed from 2.3 to Future

The underlying RADIUS pieces still don't support IPv6.

I believe this is the root cause of this issue.
https://bugs.php.net/bug.php?id=59619

#11 Updated by Jim Thompson over 1 year ago

  • Assignee set to Renato Botelho

#12 Updated by Kill Bill 5 months ago

After wasting my time once again with hitting the same issue and seeing the total ignorance of the issue by PHP devs, I'd say IPv6 should be refused as input at least.

https://github.com/pfsense/pfsense/pull/3555

Also available in: Atom PDF