[Oisf-users] Suricata in-line af-packet appears to be messing with RADIUS from my APs

Eric Leblond eric at regit.org
Tue May 30 23:52:34 UTC 2017


On Tue, 2017-05-30 at 21:35 +0000, Dylan B. Walter wrote:
>  This message was sent securely using ZixCorp.
> Hi,
> First time poster here.  I have Suricata in-line running in af-packet 
> mode using the binary packages in the apt repository, IP tables
> completely empty on Ubuntu 16.04, fully patched.  It sits between my
> router and switch on an 802.1q trunk.  All services work fine for
> wired clients on all 4 VLANs.  Radius logons work to my cisco
> catalyst switch (UDP 1645 auth/1646 accounting), but my Meraki WAP’s
> radius fails (UDP 1812-auth).  If I disable Suricata and flip my
> inline pair to a bridge it works just fine.  I considered that maybe
> it was just 1812 and switched the Meraki’s to use 1645, same
> behavior.  If I capture packets from the IPS, from the perimeter
> router, from the core firewall, and from the RADIUS server itself it
> looks the same:
> Access-Request WAP->Radius Server
> Access-Challenge Radius Server->WAP
> Access-Request WAP->Radius Server
> Access-Challenge Radius Server->WAP (fragmented and re-assembled)
> What’s weird is I see nothing in fast.log or drop.log referencing my
> AP’s IP, nor my Radius server so one would think that means it’s not
> acting on it, but the problem goes away when it’s bypassed.
> I can included sanitized config snippets if that’s helpful?

Yes, could you paste the af-packet of your suricata.yaml config ?

Main problem can be with defrag option in af-packet which has to be set
to no.

Also there is a problem in some cases that is be addressed by the
following code:
In particular this is fixing https://redmine.openinfosecfoundation.org/

It would be really nice if you could give a try to this branch.


More information about the Oisf-users mailing list