REG: Cisco-AV Pair not sent
8zero2ops at gmail.com
Sat Dec 29 06:08:01 CET 2018
Thanks for the reply. Appreciate it, I am using 3.0.11 I absolutely
understand the problem but what i am trying to point out here is sending a
malformed packet or not sending a reply at all might be a better option.
As what happened in my case when it was 248 bytes it didnt write anything
in the reply packet(I mean this attribute was not sent in reply packet) and
client got full internet whereas it was supposed to get restricted with
this attribute(which is a security concern), I wasnt expecting this as
redirect url was a dynamic created one.
when it greater than 248 it sends a malformed packet in return which nas
rejects and nothing happens, client is not given full access(which might be
better, rather than sending the attribute empty)
I hope i was clear.
On Dec 28, 2018, at 3:02 AM, 8zero2 operations <8zero2ops at gmail.com> wrote:
> > I am trying to allocate a string in Cisco-AV Pair and send it as reply
> > attribute, It works till the length is 247 chars when it becomes 248
> > nothing is sent back.. and when it is > 248 radius gives malformed
> > error(This is no problem)
> That "malformed packet" error shouldn't happen... Which version of the
> server are you running?
> > But when it is 248 and nothing is sent back. It becomes a big problem as
> > some security risks arise.
> The RADIUS protocol limits attributes to 253 bytes of data. For VSAs, 4
> bytes of that is taken up by the Vendor ID. Cisco attributes use 2 bytes
> for attribute ID + length. Which leaves 247 bytes of room for actual
> You can't just put 10,000 bytes of data into a Cisco-AVPAir and expect
> it to work. You've got to understand the limitations of the RADIUS
> If you need to put more than 247 bytes of data into a Cisco-AVPair
> attribute, then the data needs to be split across multiple attributes.
> Alan DeKok.
> List info/subscribe/unsubscribe? See
More information about the Freeradius-Users