RE: Proposed Resolution to Issue 87 (RADIUS MIB Updates)

[Bernard Aboba <aboba@internaut.com>]

> A potential conflict would appear to exist if RADIUS servers are
> configured on a NAS with a mixture of IPv4 and IPv6 addresses.  Do we
> have a notion of a single RADIUS server that could be addressed by
> either IPv4 or IPv6?  If the NAS has a dual-mode stack, with both IPv4
> and IPv6 addresses, RADIUS servers would see these as separate NASes,
> based on the shared secret lookup.  Is that right?

Certainly there will be two different shared secret entries, one with the
IPv6 address/shared secret and another with the IPv4 address/shared
secret.  Hopefully the RADIUS client will be a bit more intelligent in not
doing things like failing over from the IPv4 address to the IPv6 address
when the RADIUS server doesn't answer.

However, this does bring up another issue, which is how the RADIUS server
identifies the  NAS if it is more than one hop away.  NASes can have more
than one IPv6 address and this makes it possible for a NAS to put a
linkscope address in the NAS-IPv6-Address field.  If the proxy is on the
same link as the RADIUS client, the RADIUS server could receive a packet
with a  NAS-IPv6-Address as a linklocal address.

The same issue can occur with IPv4 Link Local, and of course a NAS can
have more than one IPv4 and IPv6 address.

One potential suggestion might be to use the NAS-Identifier attribute in
such a situation so as to avoid having to configure the RADIUS server with
all potential NAS addresses.



> I agree that the WG needs to consider all the semantics and operational
> issues of IPv6 support, and document that somewhere, even if the MIB
> isn't the best place.

Sounds like yet another problem for "Issues and Fixes".

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>