[Oisf-users] Suricata in-line af-packet appears to be messing with RADIUS from my APs
Eric Leblond
eric at regit.org
Tue May 30 23:52:34 UTC 2017
Hello,
On Tue, 2017-05-30 at 21:35 +0000, Dylan B. Walter wrote:
> This message was sent securely using ZixCorp.
>
> Hi,
>
> First time poster here. I have Suricata in-line running in af-packet
> mode using the binary packages in the apt repository, IP tables
> completely empty on Ubuntu 16.04, fully patched. It sits between my
> router and switch on an 802.1q trunk. All services work fine for
> wired clients on all 4 VLANs. Radius logons work to my cisco
> catalyst switch (UDP 1645 auth/1646 accounting), but my Meraki WAP’s
> radius fails (UDP 1812-auth). If I disable Suricata and flip my
> inline pair to a bridge it works just fine. I considered that maybe
> it was just 1812 and switched the Meraki’s to use 1645, same
> behavior. If I capture packets from the IPS, from the perimeter
> router, from the core firewall, and from the RADIUS server itself it
> looks the same:
>
> Access-Request WAP->Radius Server
> Access-Challenge Radius Server->WAP
> Access-Request WAP->Radius Server
> Access-Challenge Radius Server->WAP (fragmented and re-assembled)
>
> What’s weird is I see nothing in fast.log or drop.log referencing my
> AP’s IP, nor my Radius server so one would think that means it’s not
> acting on it, but the problem goes away when it’s bypassed.
>
> I can included sanitized config snippets if that’s helpful?
Yes, could you paste the af-packet of your suricata.yaml config ?
Main problem can be with defrag option in af-packet which has to be set
to no.
Also there is a problem in some cases that is be addressed by the
following code:
https://github.com/regit/suricata/tree/misc-20170510-v3
In particular this is fixing https://redmine.openinfosecfoundation.org/
issues/2099
It would be really nice if you could give a try to this branch.
BR,
--
Eric
More information about the Oisf-users
mailing list