Tunnel-Password length not multiple of 16
Alan DeKok
aland at deployingradius.com
Mon Apr 18 16:37:33 CEST 2016
On Apr 18, 2016, at 10:22 AM, McWilliams, Rhys <rhys.mcwilliams at cdk.com> wrote:
>
> Apr 18 16:01:39 SAST: RADIUS: Tunnel-Password [69] 52 00:*
> Apr 18 16:01:39 SAST: RADIUS: Vendor, Cisco [26] 30
> ...
> Apr 18 16:01:39 SAST: RADIUS: Tunnel-Password length not multiple of 16
> Apr 18 16:01:39 SAST: RADIUS/DECODE: decoder; FAIL
> Apr 18 16:01:39 SAST: RADIUS/DECODE: attribute Tunnel-Password; FAIL
> Apr 18 16:01:39 SAST: RADIUS/DECODE: parse response op decode; FAIL
If I read that correctly, the decoder is broken. Tell Cisco to fix it.
The debug output here shows that the length of the Tunnel-Password attribute is 52. 2 bytes are for the RADIUS header. 2 bytes are for the salt (RFC 2868 Section 3.5). The remaining *encrypted* portion is 48 bytes long... which is a multiple of 16. As it's supposed to be.
Please send me a packet trace from 1.1.3 and 3.0.4. Use the standard secret "testing123", so I can decode the Tunnel-Password and look at the data.
There *might* be a bug in 3.0.4, but I'm inclined towards believing that the Cisco implementation is wrong.
Alan DeKok.
More information about the Freeradius-Users
mailing list