Problems decoding a vendor-specified attribute on the client side

JCA 1.41421 at gmail.com
Thu Dec 27 03:47:10 CET 2012


Thanks for your prompt reply. Please see my comments interspersed below.

On Wed, Dec 26, 2012 at 6:19 PM, Alan DeKok <aland at deployingradius.com> wrote:
> JCA wrote:
>> I would like to be able to use a vendor-specified attribute, rather
>> than Reply-Message, and to that end I added the following entry to the
>> dictionary files in both client and server:
>>
>>        VENDOR          MyVendorID    29688
>>
>>        BEGIN-VENDOR    MyVendorID
>>        ATTRIBUTE            Vendor-Attr  1    string
>>        END-VENDOR      MyVendorID
>>
>> (the vendor ID used here is bogus.)  I also changed my users on the
>> server as follows:
>>
>>      user1      User-Password != "User1Password"
>>      user1      Cleartext-Password := "User1Password"
>>           Vendor-Attr = "Authentication successful."
>
>   I'd give it a better name than that... but OK.
>
>> After launching the server on A again, and attempting an
>> authentication from B, debugging the client on B reveals that the
>> server is indeed sending the Vendor-Attr attribute with the value
>> specified in the users file. The rc_avpair_gen() function in the
>> client code on B detects a vendor-specified attribute, and after
>> properly identifying it as MyVendorID it attempts to decode the
>> attribute that follows by recursively invoking itself. In more detail:
>>
>> The first few bytes of the data received from the server is
>>
>>       0x1a    0x1b    0x00    0x00    0x73    0xf8    0x01    0x15
>
>   That's how RADIUS works.
>
>   You need to add the vendor dictionary on the client side, too.

   I added the VENDOR definition that I mentioned above to both client
and server already.

>>       The code then proceeds to invoking rc_dict_getattr() in order to
>> get the attribute, using as arguments the dictionary data previously
>> loaded when launching the client, plus the value of the attribute
>> variable obtained above. rc_dict_getattr() will just loop over all
>> entries in the dictionary data, trying to find a match. This is a very
>> simple function:
>
>   Yes... there's no need to include the code here.  We *do* have access
> to it.

   I included the code because I can't understand how it could ever
work. How can the comparison between attr->value and attribute, as I
described, ever succeed? The value of attribute as received from
rc_avpair_gen() contains both the vendor ID and the attribute
identifier, whereas the value of attr->value only contains the
attribute identifier. This comparison can never succeed.

>>        The comparison in the loop above will not succeed, because
>> attr->value is 1, whereas attribute is 0x73f80001. Therefore no match
>> will be found, and rc_dict_getattr() will return a NULL pointer, thus
>> causing rc_avpair_gen() to generate an error message as follows:
>>
>>         received unknown VSA attribute 1, vendor 29688 of length xx
>>
>> where xx is the length of the "Authentication successful." string.
>>
>>         Thus, it would seem that the data was received correctly, but
>> can't somehow be decoded.
>
>   Yes.  You need to add the dictionary on the client side, too.

  Like I said, I added to both client and server before I started testing.

>
>   The main FreeRADIUS library handles this properly, by the way.  It
> allows you to reference attributes which don't have any dictionaries.
>
>>         Anybody know what is going on here? I would be tempted to say
>> that the rc_dict_getattr() implementation is wrong, but I find it
>> difficult to believe that it is THAT wrong - this wouldn't be just a
>> bug, but a huge implementation error. Therefore, I must be doing
>> something wrong myself instead. But, what? How do I define my simple
>> vendor-specific attribute so that rc_get_attr() can identify and
>> decode it correctly?
>
>   Use a dictionary.
>
>   Or, update the code so that it still creates AVPairs, even if it
> doesn't have a dictionary entry.  This is what the FreeRADIUS server does.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html


More information about the Freeradius-Devel mailing list