Deprecate the X-Ascend-* attributes in dictionary.ascend?
Bjørn Mork
bjorn at mork.no
Thu Nov 12 16:03:27 CET 2009
The dictionary.ascend file contains both Ascend VSAs and some historical
Ascend specific extensions in the lower (1-255) RADIUS attribute space.
These are prefixed with "X-Ascend-".
But nowadays, quite a few of these collide with official standard
attributes. Although this is not a problem for the RADIUS server or
other applications mapping from name to value, it does pose a problem
for applications mapping from value to name. E.g. radclient, which will
happily believe that 123 is X-Ascend-Call-Attempt-Limit instead of the
RFC 4818 defined Delegated-IPv6-Prefix:
~$ radclient -x localhost:1812 auth foo -f test
Sending Access-Request of id 237 to 127.0.0.1 port 1812
User-Name = "ipv6-foo at example.com"
Password = "bar"
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=237, length=100
Framed-IP-Address = 192.168.3.4
Framed-IPv6-Prefix = 2001:db8:2:1::/64
Framed-Interface-Id = 8765:5678:abcd:1234
X-Ascend-Call-Attempt-Limit = 0x003020010db8000300000000000000000000
ERX-Ipv6-Primary-Dns = 2001:db8::53
Even worse, I believe rlm modules like rlm_perl which also map from
value to name for their internal representation of the attributes, will
do the same. I.e., if you write a script for rlm_perl, expecting a
Delegated-IPv6-Prefix, you'll be up for a surprise...
My suggestion is splitting dictionary.ascend in two separate dictionary
files, keeping only the VSA part included by default. Or at least split
out all attributes colliding with standard attributes.
Bjørn
More information about the Freeradius-Users
mailing list