Feature #4154
closedSupport for RADIUS authentication over IPv6
Added by Kill Bill almost 10 years ago. Updated over 1 year ago.
100%
Description
Following https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory - this does not work if the RADIUS server is specified as IPv6 (whether FQDN or IP does not matter). Authentication works as soon as IPv4 address is specified for the RADIUS server. (Tested on latest 2.2 snapshot, though I recall this pretty much never worked even with 2.1.x).
Updated by Jim Pingle almost 10 years ago
- Status changed from New to Confirmed
Just tried this and I'm seeing the same thing against FreeRADIUS2. The IPv6 RADIUS request never leaves the client host if it's 2.2. The client 2.2 host and the RADIUS server have connectivity to each other, can ping6, etc, but a RADIUS request using IPv6 never leaves. IPv4 works fine.
Updated by Kill Bill almost 10 years ago
Yep, it just seems to vanish somewhere. :) I deleted the client on the Windows server, and nothing logged. normally, you'd get "A RADIUS message was received from the invalid RADIUS client IP address..." error since the client is not authorized (and you get exactly that when you try via IPv4) - but as you said, with IPv6 no request reaches the server.
Updated by Ermal Luçi almost 10 years ago
libradius is v4 only for now.
Hence the issue, i think this should be pushed post 2.2 to really be fixed.
Updated by Kill Bill almost 10 years ago
Ermal Luçi wrote:
Hence the issue, i think this should be pushed post 2.2 to really be fixed.
Well, whatever is needed... however, this should be noted somewhere in the GUI (or reject IPv6 input), plus if you put a hostname there, it should filter out AAAA records when resolved because otherwise it just blackholes the requests as well.
Updated by Jim Pingle almost 10 years ago
- Target version changed from 2.2 to 2.2.1
FYI- This was the same on pfSense 2.1. It doesn't send out IPv6 RADIUS requests either. So at least it's not a regression.
This can probably be nudged off to at least 2.2.1 for that reason.
Updated by Chris Buechler almost 10 years ago
- Affected Version changed from 2.2 to All
Updated by Chris Buechler almost 10 years ago
- Target version changed from 2.2.1 to 2.2.2
Updated by Chris Buechler over 9 years ago
- Target version changed from 2.2.2 to 2.2.3
Updated by Chris Buechler over 9 years ago
- Target version changed from 2.2.3 to 2.3
Updated by Chris Buechler about 9 years ago
- Target version changed from 2.3 to Future
The underlying RADIUS pieces still don't support IPv6.
I believe this is the root cause of this issue.
https://bugs.php.net/bug.php?id=59619
Updated by Kill Bill almost 8 years ago
After wasting my time once again with hitting the same issue and seeing the total ignorance of the issue by PHP devs, I'd say IPv6 should be refused as input at least.
Updated by Christian McDonald about 2 years ago
- Status changed from Confirmed to Feedback
- Assignee set to Christian McDonald
- Target version changed from Future to CE-Next
- Plus Target Version set to Plus-Next
- Release Notes set to Default
https://gitlab.netgate.com/pfSense/pfSense/-/commit/5f9666a1b3a81f289c7c02954f9f92d3b989a346
RADIUS authentication now supports IPv6.
Updated by Jim Pingle about 2 years ago
- Status changed from Feedback to New
The UI allows adding the IPv6 RADIUS server after that change but it does not appear to be working from PHP auth. No IPv6 packets are sent to the RADIUS server.
The RADIUS server is listening on IPv6 and accepts and authenticates test connections using radtest
, so it appears there is still something left to do on the PHP side.
Updated by Jim Pingle about 2 years ago
- Status changed from New to Resolved
- Target version changed from CE-Next to 2.7.0
- Start date deleted (
12/27/2014) - Plus Target Version changed from Plus-Next to 22.11
Tried it again after going over all the rules and such on both sides and it worked so it must have been in my setup.
Not sure why I never saw the packets leave or states made at first, though, but it's working now and I see two-way traffic.
Updated by Jim Pingle about 2 years ago
- Plus Target Version changed from 22.11 to 23.01
Updated by Jim Pingle over 1 year ago
- Tracker changed from Bug to Feature
- Subject changed from RADIUS authentication not working over IPv6 to Support for RADIUS authentication over IPv6
- % Done changed from 0 to 100
- Affected Version deleted (
All) - Affected Architecture deleted (
All)