Project

General

Profile

Actions
Copy link

Feature #4154

closed

Support for RADIUS authentication over IPv6

Added by Kill Bill over 9 years ago. Updated 10 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Christian McDonald
Category:
User Manager / Privileges
Target version:
2.7.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.01
Release Notes:
Default

Description

Following https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory - this does not work if the RADIUS server is specified as IPv6 (whether FQDN or IP does not matter). Authentication works as soon as IPv4 address is specified for the RADIUS server. (Tested on latest 2.2 snapshot, though I recall this pretty much never worked even with 2.1.x).

Actions
Copy link
 #1

Updated by Jim Pingle over 9 years ago

  • Status changed from New to Confirmed

Just tried this and I'm seeing the same thing against FreeRADIUS2. The IPv6 RADIUS request never leaves the client host if it's 2.2. The client 2.2 host and the RADIUS server have connectivity to each other, can ping6, etc, but a RADIUS request using IPv6 never leaves. IPv4 works fine.

Actions
Copy link
 #2

Updated by Kill Bill over 9 years ago

Yep, it just seems to vanish somewhere. :) I deleted the client on the Windows server, and nothing logged. normally, you'd get "A RADIUS message was received from the invalid RADIUS client IP address..." error since the client is not authorized (and you get exactly that when you try via IPv4) - but as you said, with IPv6 no request reaches the server.

Actions
Copy link
 #3

Updated by Ermal Luçi over 9 years ago

libradius is v4 only for now.
Hence the issue, i think this should be pushed post 2.2 to really be fixed.

Actions
Copy link
 #4

Updated by Kill Bill over 9 years ago

Ermal Luçi wrote:

Hence the issue, i think this should be pushed post 2.2 to really be fixed.

Well, whatever is needed... however, this should be noted somewhere in the GUI (or reject IPv6 input), plus if you put a hostname there, it should filter out AAAA records when resolved because otherwise it just blackholes the requests as well.

Actions
Copy link
 #5

Updated by Jim Pingle over 9 years ago

  • Target version changed from 2.2 to 2.2.1

FYI- This was the same on pfSense 2.1. It doesn't send out IPv6 RADIUS requests either. So at least it's not a regression.

This can probably be nudged off to at least 2.2.1 for that reason.

Actions
Copy link
 #6

Updated by Chris Buechler over 9 years ago

  • Affected Version changed from 2.2 to All
Actions
Copy link
 #7

Updated by Chris Buechler about 9 years ago

  • Target version changed from 2.2.1 to 2.2.2
Actions
Copy link
 #8

Updated by Chris Buechler about 9 years ago

  • Target version changed from 2.2.2 to 2.2.3
Actions
Copy link
 #9

Updated by Chris Buechler almost 9 years ago

  • Target version changed from 2.2.3 to 2.3
Actions
Copy link
 #10

Updated by Chris Buechler over 8 years ago

  • Target version changed from 2.3 to Future

The underlying RADIUS pieces still don't support IPv6.

I believe this is the root cause of this issue.
https://bugs.php.net/bug.php?id=59619

Actions
Copy link
 #11

Updated by Jim Thompson about 8 years ago

  • Assignee set to Renato Botelho
Actions
Copy link
 #12

Updated by Kill Bill about 7 years ago

After wasting my time once again with hitting the same issue and seeing the total ignorance of the issue by PHP devs, I'd say IPv6 should be refused as input at least.

https://github.com/pfsense/pfsense/pull/3555

Actions
Copy link
 #13

Updated by Renato Botelho almost 2 years ago

  • Assignee deleted (Renato Botelho)
Actions
Copy link
 #14

Updated by Christian McDonald over 1 year ago

  • Status changed from Confirmed to Feedback
  • Assignee set to Christian McDonald
  • Target version changed from Future to CE-Next
  • Plus Target Version set to Plus-Next
  • Release Notes set to Default
Actions
Copy link
 #15

Updated by Jim Pingle over 1 year ago

  • Status changed from Feedback to New

The UI allows adding the IPv6 RADIUS server after that change but it does not appear to be working from PHP auth. No IPv6 packets are sent to the RADIUS server.

The RADIUS server is listening on IPv6 and accepts and authenticates test connections using radtest, so it appears there is still something left to do on the PHP side.

Actions
Copy link
 #16

Updated by Jim Pingle over 1 year ago

  • Status changed from New to Resolved
  • Target version changed from CE-Next to 2.7.0
  • Start date deleted (12/27/2014)
  • Plus Target Version changed from Plus-Next to 22.11

Tried it again after going over all the rules and such on both sides and it worked so it must have been in my setup.

Not sure why I never saw the packets leave or states made at first, though, but it's working now and I see two-way traffic.

Actions
Copy link
 #17

Updated by Jim Pingle over 1 year ago

  • Plus Target Version changed from 22.11 to 23.01
Actions
Copy link
 #18

Updated by Jim Pingle 10 months ago

  • Tracker changed from Bug to Feature
  • Subject changed from RADIUS authentication not working over IPv6 to Support for RADIUS authentication over IPv6
  • % Done changed from 0 to 100
  • Affected Version deleted (All)
  • Affected Architecture deleted (All)
Actions
Copy link

Also available in: Atom PDF