[radius_client] Host must be an IP Address

jozefrebjak · ‎01-26-2023

Is there any reason why host in radius_client must be an IPv4 Address ? As I can see with ad_client is possible to specify Hostname.

In reference is described Host within ad_client

host

The hostname or IP address of your domain controller or directory server. If this host doesn’t respond to a primary authentication request and no additional hosts are specified (as host_2 , host_3 , etc.) then the user’s login attempt fails.

But with radius_client it’s:

host

The IP address of your primary RADIUS server. If this host doesn’t respond to a primary authentication request and no additional hosts are specified (as host_2, host_3, etc.) then the user’s login attempt fails.

We would like to have an option to specify Hostname with Radius as well.

DuoPablo · ‎01-27-2023

Hi @jozefrebjak ,

Using hostnames in the host config for the [radius_client] section is currently not supported and will cause the Connectivity Tool to error.

Please feel free to submit this and any future Feature Request via your Duo Account Executive, Customer Success Manager (if applicable), or our Support Team.

Thank you!

jozefrebjak · ‎01-27-2023

@DuoPablo Thanks for a quick answer.

My use case is as follow:

We would like to bring Duo Auth Proxy to a front of our FreeRadius deployment to authorise users which are connecting to various network devices. Our deployment is fully containerised in Docker Swarm.

I successfully made an Docker Image of the Duo Auth Proxy for Linux.

The only limit there is radius client host must be an IPv4 and it’s not accepting hostname at all and we can’t use overlay network to isolate communication between the services.

Btw service will start as normal. This issue is there after first request from a user.

From my troubleshooting the issue is in:

  File "/opt/duoauthproxy/usr/local/lib/python3.8/site-packages/duoauthproxy/lib/radius/server.py", line 96, in datagramReceived
    yield self.handle_datagram_received(datagram, host, port)
  File "/opt/duoauthproxy/usr/local/lib/python3.8/site-packages/duoauthproxy/lib/radius/server.py", line 114, in handle_datagram_received
    request = yield server.protocol._handle_request(datagram, (host, port))
  File "/opt/duoauthproxy/usr/local/lib/python3.8/site-packages/Twisted-21.2.0-py3.8.egg/twisted/internet/defer.py", line 1443, in _inlineCallbacks
    result = current_context.run(result.throwExceptionIntoGenerator, g)
  File "/opt/duoauthproxy/usr/local/lib/python3.8/site-packages/Twisted-21.2.0-py3.8.egg/twisted/python/failure.py", line 500, in throwExceptionIntoGenerator
    return g.throw(self.type, self.value, self.tb)
  File "/opt/duoauthproxy/usr/local/lib/python3.8/site-packages/duoauthproxy/lib/radius/server.py", line 265, in _handle_request
    raise e
  File "/opt/duoauthproxy/usr/local/lib/python3.8/site-packages/duoauthproxy/lib/radius/server.py", line 237, in _handle_request
    request.response = yield self._get_response(request)
twisted.internet.error.InvalidAddressError: ('radius', 'write() only accepts IP addresses, not hostnames')

If ad_client is accepting hostname then maybe there is not so hard to implement this feature also for Radius.

I’ll try to look at that python code, maybe we should find a way how to handle also hostname. For now we will wait if this could be implemented in next releases.

We will open an feature request as well.