Problem of proxying Vendor Specific Attributes (VSA)!
Hi! When i receive an access-reject from the radius server (this packet has VSA ), the proxy send back the access-reject to the client but delete the VSA. I tried to modify the file "attrs" by specifying "Vendor-Specific == xxx (our vendor number)" but it doesn't work and i'm not sure if it is the good file to modify. What can i do to indicate the proxy not deleting the VSA when it receive an access-reject from the server? Thanks a lot! ** * *
Hi,
When i receive an access-reject from the radius server (this packet has VSA ), the proxy send back the access-reject to the client but delete the VSA.
I tried to modify the file "attrs" by specifying "Vendor-Specific == xxx (our vendor number)" but it doesn't work and i'm not sure if it is the good file to modify.
What can i do to indicate the proxy not deleting the VSA when it receive an access-reject from the server?
it's not said crystally clear in the RFC2865, but IMO VSA atributes are not supposed to be present in Rejects: If any value of the received Attributes is not acceptable, then the RADIUS server MUST transmit a packet with the Code field set to 3 (Access-Reject). It MAY include one or more Reply-Message Attributes with a text message which the NAS MAY display to the user. So I wouldn't be surprised if FR discards them hardwired. But someone with more knowledge is required to give an authoritative answer :-) Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
Laurent LOINGEVILLE wrote:
I receive an access-reject from the radius server (this packet has VSA)
This packet isn't RFC-compliant.
What can i do to indicate the proxy not deleting the VSA when it receive an access-reject from the server?
Edit the function rfc_clean() in the source code. (src/main/util.c) -- Nicolas Baradakis
Thanks a lot for your answer! So i've edited the function rfc_clean() in the source code (src/main/util.c) by adding the following line (in bold) but it doesn't work (the client don't receive the VSA: case PW_AUTHENTICATION_REJECT: pairmove2(&vps, &(packet->vps), PW_EAP_MESSAGE); pairmove2(&vps, &(packet->vps), PW_MESSAGE_AUTHENTICATOR); pairmove2(&vps, &(packet->vps), PW_REPLY_MESSAGE); pairmove2(&vps, &(packet->vps), PW_VENDOR_SPECIFIC); Could you please tell me what is wrong? have i to add something else in this procedure? Thanks in advance for your answer! On 7/5/06, Nicolas Baradakis <nbk@sitadelle.com> wrote:
Laurent LOINGEVILLE wrote:
I receive an access-reject from the radius server (this packet has VSA)
This packet isn't RFC-compliant.
What can i do to indicate the proxy not deleting the VSA when it receive an access-reject from the server?
Edit the function rfc_clean() in the source code. (src/main/util.c)
-- Nicolas Baradakis
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
participants (3)
-
Laurent LOINGEVILLE -
Nicolas Baradakis -
Stefan Winter