returning a HEX String as a HEX String (bit string) instead of the decimal equivalent - FreeRADIUS 2.1.10

Andy andy at
Tue Aug 6 11:50:36 CEST 2013

Hi, yes thank you, that is the guide I have been following..

And as that guide highlights the switch needs a 'bit string', not a 
decimal number;
"The value of Egress-VLANID is a bit string, the first 8 bits specify 
whether the VLAN is tagged or untagged and must be either 0x31 (tagged) 
or 0x32 (untagged). The next 12 bits are padding 0x000, and the final 
12 bits are the VLAN ID as an integer value.."

Thus I need; 'Egress-VLANID = 0x31000013' in the FreeRADIUS reply

But FreeRADIUS is NOT sending that bit string, it is sending;

Sending Access-Accept of id 41 to port 1812
	Framed-Protocol = PPP
	Framed-Compression = Van-Jacobson-TCP-IP
	Egress-VLANID = 822083602
	HP-Cos = "3"
Finished request 18.

I have stored the HEX String in OpenLDAP with various data types, but 
the FreeRADIUS always converts the number to the decimal equivalent 
(822083602) which is out of range for the switch?

How can I stop this conversion?

HPO switch debug;
0049:03:34:00.18 MAC  mWebAuth:Port: 29 MAC: 080027-e4b2cd new client 
detected on vid: 11.
0049:03:34:00.18 MAC  mWebAuth:Port: 29 MAC: 080027-e4b2cd RADIUS CHAP 
authentication started, session: 2985.
0049:03:34:00.20 MAC  mWebAuth:Port: 29 MAC: 080027-e4b2cd vid 
attribute error during RADIUS processing.
0049:03:34:00.20 MAC  mWebAuth:Port: 29 MAC: 080027-e4b2cd client 
   session: 2985, invalid attributes.
0049:03:34:00.20 MAC  mWebAuth:Port: 29 MAC: 080027-e4b2cd client 
authentication failed, login retry count: 1 >= max-retires: 0, no 
unauth-vid configured, entering quiet-period: 30 seconds.
W 08/06/13 09:45:58 02400 dca: macAuth client, RADIUS-assigned VID 
validation error. MAC 080027E4B2CD port 29 VLAN-Id 0 or unknown.

Thanks, Andy.

On Mon 05 Aug 2013 23:59:36 BST, Arran Cudbard-Bell wrote:
> On 5 Aug 2013, at 23:39, Andy <andy at
> <mailto:andy at>> wrote:
>> Hello,
>> This is my first post here so please excuse any missed etiquette.
>> I have read through the wiki's and googled a lot and not found anything.
> *sigh*
>> I have been trying configure our switch ports (HP 2910al) with Tagged
>> VLANs via Egress-VLANID and Egress-VLAN-Name.
>> The Radius backend is OpenLDAP, and I have tried setting the data
>> type in OpenLDAP to binary, UTF-8 and IA5, but no matter what I do,
>> the value returned by RADIUS is the decimal equivalent of the HEX bit
>> string I enter :(
>> For example I'm trying to store and send 0x31000012 to indicate a
>> tagged VLAN (0x31) on VLAN 12. But looking at freeradius -X output I
>> can see it sending the decimal number, when the switch wants the bit
>> string as it was stored, and hence throws an error!
> No. The HP switch does not care that FreeRADIUS displayed (but later
> encoded correctly) your hex string as an integer.
> It does care that you don't seem to understand how to convert decimal
> numbers to hex and are actually specifying VLAN 18 tagged, which
> probably doesn't exist if you're getting errors.
> You want 0x3100000C for VLAN 12 tagged.
> -Arran
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list