Unsupported Vendor Specific Attribute results in incorrect behavior of rc_avpair_gen()

Alan DeKok aland at deployingradius.com
Tue Jan 27 23:00:28 CET 2015

On Jan 27, 2015, at 4:33 PM, Amol Lad <Amol.Lad at 4rf.com> wrote:]
> I'm not sure if I fully understand you. It's _not_ possible to add every possible VSA in the client dictionary. It's possible that "this" radius client is in a network with many other devices all authenticated by a common RADIUS server. Other devices might support VSAs that this device will not understand.


> I'm only trying to implement below recommendation in RFC 5080:
> A configuration flag such as "treat unknown attributes as
>   reject" can be exposed to the system administrator.  If the flag is
>   set to true, then Access-Accepts containing unknown attributes are
>   treated as Access-Rejects.  If the flag is set to false, then unknown
>   attributes in Access-Accepts are silently ignored.

  That recommendation is for packets received from the network.  It is NOT for attributes read from a configuration file.

> Unfortunately with current library "bug" of discarding all known attributes if any unknown VSA is present in the end of the list, I cannot support "silently ignore" portion of above statement

  Patches are welcome.

  The problem is that your previous messages used examples of attributes read from configuration files.  So it’s natural to assume that’s what you meant.  So… my recommendations were for attributes read from configuration files.

  If you’re now talking about attributes read from a packet… that’s different.  And my recommendations are different.

  Alan DeKok.

More information about the Freeradius-Users mailing list