Vendor-Specific attribute with rlm_rest

Alan DeKok aland at deployingradius.com
Thu May 7 20:45:09 CEST 2020


> On May 7, 2020, at 2:17 PM, Michael A Carpenter - macarpen at us.ibm.com <macarpen at us.ibm.com> wrote:
> 
> I'm trying to return the Vendor-Specific attribute with value "H=4,I=4" using the rlm_rest module. I've tried the following authorization response payloads:
> 
> {"Attr-26": "0x483d342c493d34"}
> 
> {"Vendor-Specific": "H=4,I=4"}
> 
> Both resulted in error:

  Please don't do that.  It's terrible.  If you need that in order to interoperate with an idiot vendor, fine.  But if you're doing something yourself, this is 1000% the wrong thing to do.

  You *cannot* and *should not* specify values for the Vendor-Specific attribute.  That attribute does not have values like other attributes.  Instead, it carries a 32-bit vendor number, followed by encapsulated vendor attributes.

 So... why are you doing this?

> Any suggestions for what might be incompatible about the value?

  It fails to follow the RFCs.  See

https://tools.ietf.org/html/rfc8044#section-3.14

  Which defines the "vsa" data type, for the Vendor-Specific attribute.

  As the author of that specification, I feel uniquely qualified to say that your usage of Vendor-Specific is wrong. :)

  Alan DeKok.




More information about the Freeradius-Users mailing list