Tunnel-Password length not multiple of 16

[Alan DeKok]

On Apr 18, 2016, at 10:22 AM, McWilliams, Rhys <rhys.mcwilliams at cdk.com> wrote:
> I've been trying to migrate from FreeRADIUS ver 1.1.3 to ver 3.0.4.

  Please use 3.0.11.  3.0.4 is years old.

> I've setup new servers running MariaDB and FreeRADIUS 3.0.4 and have left the ver 3 config as default as possible with just changing a few things like the listen port and the SQL database parameters, and of course clients.conf and huntgroup.

  That should be all good.

> All looks good at first glance and the radtest utility works and returns what is expected and the debug shows Access-Accept.
> But when I run a "test aaa group" from the Cisco router it returns a "User rejected" and the "debug radius" outputs the following.

  And.... what does the debug output of the *server* say?

  If you do "radiusd -Xxx", you will get hex dumps of the packets it sends and receives.

> You can see the Cisco router has received an "Access-Accept" from the line "RADIUS: Received from id 1645/8 172.16.0.2:18122, Access-Accept, len 154" but the debug returns that last bit about the Tunnel-Password.

  It should be able to handle such attributes.  But also the server should create well-formed attributes.

> Please could someone point me in the correct direct as I've spent a few days now searching for this "error" to no avail...

  Try 3.0.11.  It has a number of issues fixed over 3.0.4.

  Alan DeKok.