Feature #1001
Add support for some IPv6 RADIUS attributes
Description
Hello.
Please add support for processing ipv6 related attributes from radius in addition to ipv4 ones.
Associated revisions
eap-radius: Use Framed-IPv6-Address attributes to send IPv6 VIPs in accounting messages
This attribute is more appropriate for single IPv6 virtual IPs than the
Framed-IPv6-Prefix attribute.
Fixes #1001.
eap-radius: Fix creation of host_t objects based on Framed-IPv6-Address attributes
Fixes ec490e68ae37 ("eap-radius: Add support for some basic IPv6-specific RADIUS attributes").
References #1001.
History
#1 Updated by Tobias Brunner about 5 years ago
- Subject changed from Unsupported radius attrib to Unsupported IPv6 RADIUS attributes
- Status changed from New to Feedback
Please add support for processing ipv6 related attributes from radius in addition to ipv4 ones.
While RFC 3162 defines RADIUS attributes for IPv6 (Framed-Interface-Id, Framed-IPv6-Prefix) these currently don't have a counterpart in strongSwan's IKE implementation. That's mainly because we currently don't support RFC 5739, which defines the corresponding INTERNAL_IP6_LINK and INTERNAL_IP6_PREFIX configuration attributes.
One attribute defined in RFC 3162 that could be handled quite easily is Framed-IPv6-Pool, which we could use to find an address pool by name from which to assign an IP to the client.
#2 Updated by Michał Zegan about 5 years ago
I believe there is framed_ipv6_address attribute too. rfc6911, section 3.1, or I misread something?
Tobias Brunner wrote:
Please add support for processing ipv6 related attributes from radius in addition to ipv4 ones.
While RFC 3162 defines RADIUS attributes for IPv6 (Framed-Interface-Id, Framed-IPv6-Prefix) these currently don't have a counterpart in strongSwan's IKE implementation. That's mainly because we currently don't support RFC 5739, which defines the corresponding INTERNAL_IP6_LINK and INTERNAL_IP6_PREFIX configuration attributes.
One attribute defined in RFC 3162 that could be handled quite easily is Framed-IPv6-Pool, which we could use to find an address pool by name from which to assign an IP to the client.
#3 Updated by Tobias Brunner about 5 years ago
I believe there is framed_ipv6_address attribute too. rfc6911, section 3.1, or I misread something?
No, you are quite right. Didn't see that. The patch in the radius-ipv6 branch adds support for the Framed-IPv6-Address and DNS-Server-IPv6-Address attributes.
#4 Updated by Michał Zegan about 5 years ago
Actually a suggestion:
Strongswan sends Framed-IPv6-Prefix in accounting requests. Shouldn't it actually send Framed-IPv6-Address? I believe it would be more appropriate, but not sure.
#5 Updated by Tobias Brunner about 5 years ago
Actually a suggestion:
Strongswan sends Framed-IPv6-Prefix in accounting requests. Shouldn't it actually send Framed-IPv6-Address? I believe it would be more appropriate, but not sure.
Yes, probably. The comment there indicates an attempt to map the single IPv6 addresses we assign to clients to the Framed-IPv6-Prefix attribute. I pushed another commit to the radius-ipv6 branch that implements your suggestion.
#6 Updated by Tobias Brunner almost 5 years ago
- Subject changed from Unsupported IPv6 RADIUS attributes to Add support for some IPv6 RADIUS attributes
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Target version set to 5.3.3
- Resolution set to Fixed
eap-radius: Add support for some basic IPv6-specific RADIUS attributes
These are defined in RFC 6911.
Fixes #1001.