1

Why is my freeradius sever ignoring FE80::/16 clients?

client.conf: client localhost { ipaddr = 127.0.0.1 < secret = testing123< require_message_authenticator = no nastype = other } client fe80::/16 { secret = testing123-2< shortname = local-link< } client 192.168.0.0/16 { secret = testing123-2 shortname = private-network-1> }

Chris
  • 25
  • 7

1 Answers1

1

You may need to specify that its an IPv6 address explicitly.

Try using:

ipv6addr = fe80::%<scope>
netmask = 16

If that doesn't work, you should upgrade to the latest 3.0.x release.

Arran Cudbard-Bell
  • 1,514
  • 1
  • 9
  • 18
  • That didn't work. I get parsing errors or host not found depending on where I place the ipv6addr. Also upgrading isn't ideal since there seem to be changes that won't allow me to easliy change to 3.0.x – Chris Nov 05 '15 at 22:36
  • I read through the code. I think the above (updated) should work. If it doesn't you are probably out of luck with the v2.0.x branch. It is officially EOL and unsupported, so even if this is a bug, it will never be fixed. – Arran Cudbard-Bell Nov 05 '15 at 23:36
  • Okay, I got rid of the error but it doesn't work still. It is funny how local-link addresses don't work but Global ipv6 works fine. Thanks for the help. I'll try to upgrade another system to 3.0.x since it now being used by other users. – Chris Nov 05 '15 at 23:51
  • OK, let me know if it still doesn't work in v3.0.x and i'll investigate. Really there's no reason for it not to work, I guess it could be recvmsg reporting a different source IP address for link local... It shouldn't do, but who knows. The client/prefix lookup tree should work identically for v4 and v6. – Arran Cudbard-Bell Nov 06 '15 at 04:32
  • I upgraded to 3.0.10 and it is still ignoring the address for local link. IPv6 localhost [::1] is working. – Chris Nov 06 '15 at 17:37
  • I tested locally, and it works fine. You do however need to provide the scope of the address e.g. fe80::%. – Arran Cudbard-Bell Nov 06 '15 at 22:35
  • Was the scope set on the client side or server side? – Chris Nov 06 '15 at 22:52
  • Both, and server refused to bind without scope. – Arran Cudbard-Bell Nov 06 '15 at 22:53
  • So researching this further, I wrote a patch to allow clients with scope 0, to act as a 'wildcard' fe80:: clients as per RFC 4007 (or at least my interpretation of it). But radclient doesn't recognise the response, I think it's an artefact of the sender/receiver being on the same machine. To bind a link-local interface you need to specify scope in sin6_scope_id. You're also not allowed to bind to ``fe80::%`` which is stupid. Listening on link local addresses would seem to have limited applications. So i'm curious, what are you using it for :)? – Arran Cudbard-Bell Nov 08 '15 at 05:32
  • Also you should be using netmask /10, but it doesn't really matter. – Arran Cudbard-Bell Nov 08 '15 at 05:34
  • Basically the reason I'm using the local link is because we are not allowed to use global IP address on the network. People on my team want to test IPv6 so they want to use local link instead of connecting their device to the IPv6 private network. – Chris Nov 09 '15 at 16:23