ocserv trying to assign IP address 255.255.255.254 to tun device causes authentication failed

syouwa syouwa at gmail.com
Tue Jan 17 08:42:33 PST 2017


Thanks Nikos, After removed Framed-IP-Address from radgourpreply it 
worked fine.

But the patch seems doesn't work, even after I changed "if (ipv4 != 
0xffffffff && ipv4 != 0xfffffffe) "  to  "if (ipv4 != 0xffffffff || ipv4 
!= 0xfffffffe) "

...

ocserv[6470]: sec-mod: initiating session for user 'syouwa at gmail.com' 
(session: hh1Ksv)
ocserv[6469]: main[syouwa at gmail.com]: 111.202.52.130:50618 new user session
ocserv[6469]: main[syouwa at gmail.com]: 111.202.52.130:50618 assigned 
IPv4: 255.255.255.254
ocserv[6469]: main[syouwa at gmail.com]: 111.202.52.130:50618 assigning tun 
device vpns0
ocserv[6469]: main: tun.c:386: vpns0: Error setting DST IPv4: Invalid 
argument
ocserv[6469]: main[syouwa at gmail.com]: 111.202.52.130:50618 failed 
authentication attempt for user 'syouwa at gmail.com'

...


Regards,
David

On 2017/1/17 23:47, Nikos Mavrogiannopoulos wrote:
> On Tue, Jan 17, 2017 at 3:48 PM, syouwa <syouwa at gmail.com> wrote:
>> Freeradius is my authentication method, I found that ocserv trying to assign
>> IP address 255.255.255.254 to tun device and seems that caused
>> authentication fail, 255.255.255.254 is the value of Framed-IP-Address
>> attribute defined in radgoupreply table, is this a bug?
>>
>> ...
>> ocserv[6517]: radius-auth: opening session
>> QEZrDavGuU+alu9EEOX7WGVCXl/kRtD0iD9rZAPEGY8=
>> ocserv[6517]: sec-mod: initiating session for user 'syouwa at gmail.com'
>> (session: QEZrDa)
>> ocserv[6516]: main[syouwa at gmail.com]: 111.202.52.130:50127 new user session
>> ocserv[6516]: main[syouwa at gmail.com]: 111.202.52.130:50127 assigned IPv4:
>> 255.255.255.254
>> ocserv[6516]: main[syouwa at gmail.com]: 111.202.52.130:50127 assigning tun
>> device vpns0
>> ocserv[6516]: main: tun.c:386: vpns0: Error setting DST IPv4: Invalid
>> argument
>> ocserv[6516]: main[syouwa at gmail.com]: 111.202.52.130:50127 failed
>> authentication attempt for user 'syouwa at gmail.com'
> Looks easy to fix. Can you try the patch at:
> https://gitlab.com/ocserv/ocserv/merge_requests/35
>
> Alternatively, you can configure the server not to send the Frame-IP-Address.
>
> regards,
> Nikos




More information about the openconnect-devel mailing list