Problem of proxying Vendor Specific Attributes (VSA)!

Stefan Winter stefan.winter at
Wed Jul 5 14:29:20 CEST 2006


> When i receive an access-reject from the radius server (this packet has VSA
> ), the proxy send back the access-reject to the client but delete the VSA.
> I tried to modify the file "attrs" by specifying "Vendor-Specific == xxx
> (our vendor number)"  but it doesn't work and i'm not sure if it is the
> good  file to modify.
> What can i do to indicate the proxy not deleting the VSA when it receive an
> access-reject from the server?

it's not said crystally clear in the RFC2865, but IMO VSA atributes are not 
supposed to be present in Rejects:

      If any value of the received Attributes is not acceptable, then
      the RADIUS server MUST transmit a packet with the Code field set
      to 3 (Access-Reject).  It MAY include one or more Reply-Message
      Attributes with a text message which the NAS MAY display to the

So I wouldn't be surprised if FR discards them hardwired. But someone with 
more knowledge is required to give an authoritative answer :-)



Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at     Tel.:     +352 424409-1                Fax:      +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <>

More information about the Freeradius-Devel mailing list