On Apr 18, 2016, at 10:22 AM, McWilliams, Rhys <rhys.mcwilliams@cdk.com> wrote:
Apr 18 16:01:39 SAST: RADIUS: Tunnel-Password [69] 52 00:* Apr 18 16:01:39 SAST: RADIUS: Vendor, Cisco [26] 30 ... Apr 18 16:01:39 SAST: RADIUS: Tunnel-Password length not multiple of 16 Apr 18 16:01:39 SAST: RADIUS/DECODE: decoder; FAIL Apr 18 16:01:39 SAST: RADIUS/DECODE: attribute Tunnel-Password; FAIL Apr 18 16:01:39 SAST: RADIUS/DECODE: parse response op decode; FAIL
If I read that correctly, the decoder is broken. Tell Cisco to fix it. The debug output here shows that the length of the Tunnel-Password attribute is 52. 2 bytes are for the RADIUS header. 2 bytes are for the salt (RFC 2868 Section 3.5). The remaining *encrypted* portion is 48 bytes long... which is a multiple of 16. As it's supposed to be. Please send me a packet trace from 1.1.3 and 3.0.4. Use the standard secret "testing123", so I can decode the Tunnel-Password and look at the data. There *might* be a bug in 3.0.4, but I'm inclined towards believing that the Cisco implementation is wrong. Alan DeKok.