returning a HEX String as a HEX String (bit string) instead of the decimal equivalent - FreeRADIUS 2.1.10

Arran Cudbard-Bell a.cudbardb at
Tue Aug 6 12:46:26 CEST 2013

On 6 Aug 2013, at 10:50, Andy <andy at> wrote:

> Hi, yes thank you, that is the guide I have been following..
> And as that guide highlights the switch needs a 'bit string', not a decimal number;
> "The value of Egress-VLANID is a bit string, the first 8 bits specify whether the VLAN is tagged or untagged and must be either 0x31 (tagged) or 0x32 (untagged). The next 12 bits are padding 0x000, and the final 12 bits are the VLAN ID as an integer value.."
> Thus I need; 'Egress-VLANID = 0x31000013' in the FreeRADIUS reply
> But FreeRADIUS is NOT sending that bit string, it is sending;
> Sending Access-Accept of id 41 to port 1812
> 	Framed-Protocol = PPP
> 	Framed-Compression = Van-Jacobson-TCP-IP
> 	Egress-VLANID = 822083602

You're still sending the wrong binary string.

822083602 == 0x31000012

The RFC specifies that Egress-VLANID has a 4 octet value, whoever wrote the dictionary decided to represent it as a 32bit unsigned integer, but that should be OK.

> 	HP-Cos = "3"
> Finished request 18.

OK. First, you're not doing PPP, remove the default entries in the users file for Framed-Protocol and Framed-Compression.

Second there's no special encoding for an unsigned integer. Chances are, the on the wire format of the value matches the hex string.  Look at a dump in wireshark if you don't believe me.

If it doesn't, that's a problem, and we can look at fixing it.

> I have stored the HEX String in OpenLDAP with various data types, but the FreeRADIUS always converts the number to the decimal equivalent (822083602) which is out of range for the switch?

*sigh*, no.

> How can I stop this conversion?

The on the wire raw format will be the same for the integer and for the binary string.

> HPO switch debug;
> 0049:03:34:00.18 MAC  mWebAuth:Port: 29 MAC: 080027-e4b2cd new client detected on vid: 11.
> 0049:03:34:00.18 MAC  mWebAuth:Port: 29 MAC: 080027-e4b2cd RADIUS CHAP authentication started, session: 2985.
> 0049:03:34:00.20 MAC  mWebAuth:Port: 29 MAC: 080027-e4b2cd vid attribute error during RADIUS processing.
> 0049:03:34:00.20 MAC  mWebAuth:Port: 29 MAC: 080027-e4b2cd client rejected,
>  session: 2985, invalid attributes.
> 0049:03:34:00.20 MAC  mWebAuth:Port: 29 MAC: 080027-e4b2cd client authentication failed, login retry count: 1 >= max-retires: 0, no unauth-vid configured, entering quiet-period: 30 seconds.
> W 08/06/13 09:45:58 02400 dca: macAuth client, RADIUS-assigned VID validation error. MAC 080027E4B2CD port 29 VLAN-Id 0 or unknown.

Because you're still sending the wrong value?


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS Development Team

More information about the Freeradius-Users mailing list