Arran Cudbard-Bell wrote:
Hmm RFC 5080 expounds a bit more on Clients and attribute processing:
In general, it is best for a RADIUS client to err on the side of caution. On receiving an Access-Accept including an attribute of known Type for an unimplemented service, a RADIUS client MUST treat it as an Access-Reject, as directed in [RFC2865] Section 1.1. On receiving an Access-Accept including an attribute of unknown Type, a RADIUS client SHOULD assume that it is a potential service definition, and treat it as an Access-Reject. Unknown VSAs SHOULD be ignored by RADIUS clients.
I'll have a word with Alan tomorrow, seeing as I know he helped author this one. Unknown VSAs with your vendor ID fine, but VSAs with a different vendor ID? Seems really stupid to me.
Yes, I wrote that text. And getting excited over a DIFFERENT vendors VSAs? Stupid. Alan DeKok.