[Oisf-users] Suricata in-line af-packet appears to be messing with RADIUS from my APs

[Eric Leblond]

Hello,

On Tue, 2017-05-30 at 21:35 +0000, Dylan B. Walter wrote:
>  This message was sent securely using ZixCorp.
> 
> Hi,
>  
> First time poster here.  I have Suricata in-line running in af-packet 
> mode using the binary packages in the apt repository, IP tables
> completely empty on Ubuntu 16.04, fully patched.  It sits between my
> router and switch on an 802.1q trunk.  All services work fine for
> wired clients on all 4 VLANs.  Radius logons work to my cisco
> catalyst switch (UDP 1645 auth/1646 accounting), but my Meraki WAP’s
> radius fails (UDP 1812-auth).  If I disable Suricata and flip my
> inline pair to a bridge it works just fine.  I considered that maybe
> it was just 1812 and switched the Meraki’s to use 1645, same
> behavior.  If I capture packets from the IPS, from the perimeter
> router, from the core firewall, and from the RADIUS server itself it
> looks the same:
>  
> Access-Request WAP->Radius Server
> Access-Challenge Radius Server->WAP
> Access-Request WAP->Radius Server
> Access-Challenge Radius Server->WAP (fragmented and re-assembled)
>  
> What’s weird is I see nothing in fast.log or drop.log referencing my
> AP’s IP, nor my Radius server so one would think that means it’s not
> acting on it, but the problem goes away when it’s bypassed.
>  
> I can included sanitized config snippets if that’s helpful?

Yes, could you paste the af-packet of your suricata.yaml config ?

Main problem can be with defrag option in af-packet which has to be set
to no.

Also there is a problem in some cases that is be addressed by the
following code:
https://github.com/regit/suricata/tree/misc-20170510-v3
In particular this is fixing https://redmine.openinfosecfoundation.org/
issues/2099

It would be really nice if you could give a try to this branch.

BR,
--
Eric