REG: Cisco-AV Pair not sent
Alan DeKok
aland at deployingradius.com
Fri Dec 28 15:31:00 CET 2018
On Dec 28, 2018, at 3:02 AM, 8zero2 operations <8zero2ops at gmail.com> wrote:
> I am trying to allocate a string in Cisco-AV Pair and send it as reply
> attribute, It works till the length is 247 chars when it becomes 248
> nothing is sent back.. and when it is > 248 radius gives malformed packet
> error(This is no problem)
That "malformed packet" error shouldn't happen... Which version of the server are you running?
> But when it is 248 and nothing is sent back. It becomes a big problem as
> some security risks arise.
The RADIUS protocol limits attributes to 253 bytes of data. For VSAs, 4 bytes of that is taken up by the Vendor ID. Cisco attributes use 2 bytes for attribute ID + length. Which leaves 247 bytes of room for actual content.
You can't just put 10,000 bytes of data into a Cisco-AVPAir and expect it to work. You've got to understand the limitations of the RADIUS protocol.
If you need to put more than 247 bytes of data into a Cisco-AVPair attribute, then the data needs to be split across multiple attributes.
Alan DeKok.
More information about the Freeradius-Users
mailing list