ocserv trying to assign IP address 255.255.255.254 to tun device causes authentication failed
syouwa
syouwa at gmail.com
Tue Jan 17 08:42:33 PST 2017
Thanks Nikos, After removed Framed-IP-Address from radgourpreply it
worked fine.
But the patch seems doesn't work, even after I changed "if (ipv4 !=
0xffffffff && ipv4 != 0xfffffffe) " to "if (ipv4 != 0xffffffff || ipv4
!= 0xfffffffe) "
...
ocserv[6470]: sec-mod: initiating session for user 'syouwa at gmail.com'
(session: hh1Ksv)
ocserv[6469]: main[syouwa at gmail.com]: 111.202.52.130:50618 new user session
ocserv[6469]: main[syouwa at gmail.com]: 111.202.52.130:50618 assigned
IPv4: 255.255.255.254
ocserv[6469]: main[syouwa at gmail.com]: 111.202.52.130:50618 assigning tun
device vpns0
ocserv[6469]: main: tun.c:386: vpns0: Error setting DST IPv4: Invalid
argument
ocserv[6469]: main[syouwa at gmail.com]: 111.202.52.130:50618 failed
authentication attempt for user 'syouwa at gmail.com'
...
Regards,
David
On 2017/1/17 23:47, Nikos Mavrogiannopoulos wrote:
> On Tue, Jan 17, 2017 at 3:48 PM, syouwa <syouwa at gmail.com> wrote:
>> Freeradius is my authentication method, I found that ocserv trying to assign
>> IP address 255.255.255.254 to tun device and seems that caused
>> authentication fail, 255.255.255.254 is the value of Framed-IP-Address
>> attribute defined in radgoupreply table, is this a bug?
>>
>> ...
>> ocserv[6517]: radius-auth: opening session
>> QEZrDavGuU+alu9EEOX7WGVCXl/kRtD0iD9rZAPEGY8=
>> ocserv[6517]: sec-mod: initiating session for user 'syouwa at gmail.com'
>> (session: QEZrDa)
>> ocserv[6516]: main[syouwa at gmail.com]: 111.202.52.130:50127 new user session
>> ocserv[6516]: main[syouwa at gmail.com]: 111.202.52.130:50127 assigned IPv4:
>> 255.255.255.254
>> ocserv[6516]: main[syouwa at gmail.com]: 111.202.52.130:50127 assigning tun
>> device vpns0
>> ocserv[6516]: main: tun.c:386: vpns0: Error setting DST IPv4: Invalid
>> argument
>> ocserv[6516]: main[syouwa at gmail.com]: 111.202.52.130:50127 failed
>> authentication attempt for user 'syouwa at gmail.com'
> Looks easy to fix. Can you try the patch at:
> https://gitlab.com/ocserv/ocserv/merge_requests/35
>
> Alternatively, you can configure the server not to send the Frame-IP-Address.
>
> regards,
> Nikos
More information about the openconnect-devel
mailing list