Unsupported Vendor Specific Attribute results in incorrect behavior of rc_avpair_gen()

Amol Lad Amol.Lad at 4rf.com
Tue Jan 27 22:33:09 CET 2015


I'm not sure if I fully understand you. It's _not_ possible to add every possible VSA in the client dictionary. It's possible that "this" radius client is in a network with many other devices all authenticated by a common RADIUS server. Other devices might support VSAs that this device will not understand.

I'm only trying to implement below recommendation in RFC 5080:

A configuration flag such as "treat unknown attributes as
   reject" can be exposed to the system administrator.  If the flag is
   set to true, then Access-Accepts containing unknown attributes are
   treated as Access-Rejects.  If the flag is set to false, then unknown
   attributes in Access-Accepts are silently ignored.

Unfortunately with current library "bug" of discarding all known attributes if any unknown VSA is present in the end of the list, I cannot support "silently ignore" portion of above statement

Amol

-----Original Message-----
From: freeradius-users-bounces+amol.lad=4rf.com at lists.freeradius.org [mailto:freeradius-users-bounces+amol.lad=4rf.com at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Wednesday, 28 January 2015 2:57 a.m.
To: FreeRadius users mailing list
Subject: Re: Unsupported Vendor Specific Attribute results in incorrect behavior of rc_avpair_gen()

On Jan 26, 2015, at 10:52 PM, Amol Lad <Amol.Lad at 4rf.com> wrote:
> The problem is still there; as my embedded client does not recognize Cisco-AVPair and it is last in the list, rc_avpair_gen() returns NULL.

  Then add Cisco-AVPair to the dictionaries.

> Why do you think return NULL from below is not wrong? Why should caller return NULL if rc_avpair_gen returns NULL?

  For a host of reasons.

  In an embedded system, you want to produce the packet you expect, with all of the attributes you want.  Silently discarding an attribute means that the client does unexpected, and unknown things.

  In an embedded system, you control which attributes get created.  There's no editable configuration file that an administrator can screw up by mistyping an attribute.  So if your code is doesn't generate the correct attribute... it's a bug.  Fix your code, rather than trying to push the library into working around it.

  If the library did as you wanted, you'd still be posting here.  "Hi, I asked the library to create 4 attributes, and it only created 4.  That's a bug.  Why does it do that?"

  Fix your code to create *valid* attributes.  It's as simple as that.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The information in this email communication (inclusive of attachments) is confidential to 4RF Limited and the intended recipient(s). If you are not the intended recipient(s), please note that any use, disclosure, distribution or copying of this information or any part thereof is strictly prohibited and that the author accepts no liability for the consequences of any action taken on the basis of the information provided. If you have received this email in error, please notify the sender immediately by return email and then delete all instances of this email from your system. 4RF Limited will not accept responsibility for any consequences associated with the use of this email (including, but not limited to, damages sustained as a result of any viruses and/or any action or lack of action taken in reliance on it).


More information about the Freeradius-Users mailing list