Tunnel-Private-Group-ID undefined tag.

Nathan Ward lists+freeradius at daork.net
Mon Jan 21 22:55:23 CET 2019



> On 22/01/2019, at 10:40 AM, Fabrice Durand <fdurand at inverse.ca> wrote:
> 
> Sorry for the screen capture.
> 
> Here the reply with tag equal to 1:
> 
> Frame 6: 80 bytes on wire (640 bits), 80 bytes captured (640 bits) on interface 0
> Ethernet II, Src: Vmware_1c:1f:3d (00:0c:29:1c:1f:3d), Dst: Vmware_9d:00:59 (00:50:56:9d:00:59)
> Internet Protocol Version 4, Src: 172.20.135.4, Dst: 172.20.110.250
> User Datagram Protocol, Src Port: 1812, Dst Port: 34863
> RADIUS Protocol
>     Code: Access-Accept (2)
>     Packet identifier: 0x86 (134)
>     Length: 38
>     Authenticator: 9bbbb286df738ecf24be871d7b95de37
>     [This is a response to a request in frame 5]
>     [Time from request: 0.011010775 seconds]
>     Attribute Value Pairs
>         AVP: t=Tunnel-Type(64) l=6 Tag=0x01 val=VLAN(13)
>         AVP: t=Tunnel-Medium-Type(65) l=6 Tag=0x01 val=IEEE-802(6)
>         AVP: t=Tunnel-Private-Group-Id(81) l=6 Tag=0x01 val=195
> 
> And the one with the tag unset:
> 
> Frame 6: 79 bytes on wire (632 bits), 79 bytes captured (632 bits) on interface 0
> Ethernet II, Src: Vmware_1c:1f:3d (00:0c:29:1c:1f:3d), Dst: Vmware_9d:00:59 (00:50:56:9d:00:59)
> Internet Protocol Version 4, Src: 172.20.135.4, Dst: 172.20.110.250
> User Datagram Protocol, Src Port: 1812, Dst Port: 34863
> RADIUS Protocol
>     Code: Access-Accept (2)
>     Packet identifier: 0x87 (135)
>     Length: 37
>     Authenticator: 50e7dce3cdc0c2d5391576d11372c573
>     [This is a response to a request in frame 5]
>     [Time from request: 0.003153571 seconds]
>     Attribute Value Pairs
>         AVP: t=Tunnel-Type(64) l=6 Tag=0x00 val=VLAN(13)
>         AVP: t=Tunnel-Medium-Type(65) l=6 Tag=0x00 val=IEEE-802(6)
>         AVP: t=Tunnel-Private-Group-Id(81) l=5 val=195
> 
> 
> You can see that when there is no tag then it miss Tag=0x00 for the attribute 81.


Ah, I see. String type attributes in RFC2868 have a different treatment to Integer types. What a weird solution.

String types (incl Tunnel-Private-Group-ID) permit tag to be 0x01-0x1F if it’s to be interpreted as a “tag”, and greater than 0x1F it is interpreted as the first byte of the string. 

Either way 0x00 is not a permitted tag value for string attributes, set it to 1 through 31 if you require it to be set to something.

The “tag” in those other attributes is “unused” per the RFC.

--
Nathan Ward




More information about the Freeradius-Users mailing list