Fragmented VSA in nested TLV cut in next fragment
Ruben Heynssens
ruben.heynssens at gmail.com
Fri Apr 5 08:52:33 CEST 2019
Hi everyone,
My fragmented VSA in a nested TLV is being cut in the next fragment after 9
characters.
RADIUS server version:
radiusd: FreeRADIUS Version 3.1.0 (git #fef25aa), for host
x86_64-unknown-linux-gnu, built on May 13 2016 at 14:22:49
FreeRADIUS Version 3.1.0
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
My RADIUS dictionary contains this:
VENDOR Alcatel-IPD 6527
BEGIN-VENDOR Alcatel-IPD format=Extended-Vendor-Specific-5
ATTRIBUTE Alc-Test-TLV 1 tlv
ATTRIBUTE Alc-Test-TLV-nested 1.1 tlv
ATTRIBUTE Alc-Test-VSA-1 1.1.1 string
ATTRIBUTE Alc-Test-VSA-2 1.1.2 string
ATTRIBUTE Alc-Test-VSA-3 1.1.3 string
END-VENDOR Alcatel-IPD
This is the entry in my RADIUS users file:
00:00:01:00:00:01 Auth-Type := Accept
Alc-Test-VSA-1 =
"01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
end",Alc-Test-VSA-2 =
"01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
end",
Alc-Test-VSA-3 = "test vsa"
The RADIUS server debugging:
(1) Received Access-Request Id 71 from 30.100.0.1:64446 to 30.100.0.9:1812
via eth9 length 63
(1) User-Name = "00:00:01:00:00:01"
(1) User-Password = "admin"
(1) NAS-IP-Address = 1.0.0.1
(1) Running section authorize from file
/opt/freeradius-3.1.x/etc/raddb/sites-enabled/default
(1) authorize {
(1) filter_username {
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) ...
(1) }
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) ...
(1) }
(1) if (&User-Name =~ /\.\./ ) {
(1) ...
(1) }
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)
</@[%5e.]+(\.%5b%5e.%5d+)+$/)>) {
(1) ...
(1) }
(1) if (&User-Name =~ /\.$/) {
(1) ...
(1) }
(1) if (&User-Name =~ /@\./) {
(1) ...
(1) }
(1) } # if (&User-Name) (notfound)
(1) } # filter_username (notfound)
(1) preprocess (ok)
(1) chap (noop)
(1) mschap (noop)
(1) digest (noop)
(1) suffix - Checking for suffix after "@"
(1) suffix - No '@' in User-Name = "00:00:01:00:00:01", looking up
realm NULL
(1) suffix - No such realm "NULL"
(1) suffix (noop)
(1) eap - No EAP-Message, not doing EAP
(1) eap (noop)
(1) files - Found match "00:00:01:00:00:01" one line 1 of
/opt/freeradius-3.1.x/etc/raddb/mods-config/files/authorize
(1) files (ok)
(1) expiration (noop)
(1) logintime (noop)
(1) pap - WARNING: Auth-Type already set. Not setting to PAP
(1) pap (noop)
(1) } # authorize (ok)
(1) Using 'Auth-Type = Accept' for authenticate {...}
(1) Auth-Type = Accept, accepting the user
(1) Running section post-auth from file
/opt/freeradius-3.1.x/etc/raddb/sites-enabled/default
(1) post-auth {
(1) update {
(1) &reply: skipped: No values available
(1) } # update (noop)
(1) exec (noop)
(1) remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) ...
(1) }
(1) else {
(1) noop (noop)
(1) } # else (noop)
(1) } # remove_reply_message_if_eap (noop)
(1) } # post-auth (noop)
(1) Sent Access-Accept Id 71 from 30.100.0.9:1812 to 30.100.0.1:64446 via
eth9 length 0
(1) Alc-Test-VSA-1 =
"0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
1234567890123456789 end"
(1) Alc-Test-VSA-2 =
"0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
1234567890123456789 end"
(1) Alc-Test-VSA-3 = "test vsa"
(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 71 with timestamp +12
Wireshark shows that Alc-Test-VSA-2 is cut:
0000 a6 12 01 01 00 09 00 ff 04 00 00 09 08 00 45 00 ..............E.
0010 01 48 29 e0 00 00 40 11 12 f4 1e 64 00 09 1e 64 .H)... at ....d...d
0020 00 01 07 14 fb 82 01 34 c1 14 02 0b 01 2c 2b 2e .......4.....,+.
0030 62 76 e0 63 0a ee 3d ee ec 48 c9 c7 ad 62 f5 ff bv.c..=..H...b..
0040 1a 80 00 00 19 7f 01 01 ff 01 ec 30 31 32 33 34 ...........01234
0050 35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 30 5678901234567890
0060 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 1234567890123456
0070 37 38 39 30 31 32 33 34 35 36 37 38 39 30 31 32 7890123456789012
0080 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 3456789012345678
0090 39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 9012345678901234
00a0 35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 30 5678901234567890
00b0 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 1234567890123456
00c0 37 38 39 30 31 32 33 34 35 36 37 38 39 30 31 32 7890123456789012
00d0 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 3456789012345678
00e0 39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 9012345678901234
00f0 35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 30 5678901234567890
0100 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 1234567890123456
0110 37 38 39 30 31 32 33 34 35 36 37 38 39 30 31 32 7890123456789012
0120 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 3456789012345678
0130 39 20 65 6e 64 02 11 30 31 32 33 34 35 f5 19 1a 9 end..012345...
0140 00 36 37 38 39 30 31 32 33 34 01 0c 03 0a 74 65 .678901234....te
0150 73 74 20 76 73 61 st vsa
When I cut 10 characters from VSA-1, I see this in wireshark:
0000 a6 12 01 01 00 09 00 ff 04 00 00 09 08 00 45 00 ..............E.
0010 01 48 29 e7 00 00 40 11 12 ed 1e 64 00 09 1e 64 .H)... at ....d...d
0020 00 01 07 14 fb 89 01 34 05 ae 02 12 01 2c 8e c8 .......4.....,..
0030 ea bd 9f fe 6f a9 e8 fa 57 6b e9 ac 22 6f f5 ff ....o...Wk.."o..
0040 1a 80 00 00 19 7f 01 01 ff 01 e2 30 31 32 33 34 ...........01234
0050 35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 30 5678901234567890
0060 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 1234567890123456
0070 37 38 39 30 31 32 33 34 35 36 37 38 39 30 31 32 7890123456789012
0080 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 3456789012345678
0090 39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 9012345678901234
00a0 35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 30 5678901234567890
00b0 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 1234567890123456
00c0 37 38 39 30 31 32 33 34 35 36 37 38 39 30 31 32 7890123456789012
00d0 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 3456789012345678
00e0 39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 9012345678901234
00f0 35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 30 5678901234567890
0100 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 1234567890123456
0110 37 38 39 30 31 32 33 34 35 36 37 38 39 30 31 32 7890123456789012
0120 33 34 35 36 37 38 39 20 65 6e 64 02 1b 30 31 32 3456789 end..012
0130 33 34 35 36 37 38 39 30 31 32 33 34 35 f5 19 1a 3456789012345...
0140 00 36 37 38 39 30 31 32 33 34 01 0c 03 0a 74 65 .678901234....te
0150 73 74 20 76 73 61 st vsa
This problem does not occur without the nested TLV, when the dictionary
looks like this:
BEGIN-VENDOR Alcatel-IPD format=Extended-Vendor-Specific-5
ATTRIBUTE Alc-Test-TLV 1 tlv
ATTRIBUTE Alc-Test-VSA-1 1.1 string
ATTRIBUTE Alc-Test-VSA-2 1.2 string
ATTRIBUTE Alc-Test-VSA-3 1.3 string
END-VENDOR Alcatel-IPD
Wireshark dump:
0000 a6 12 01 01 00 09 00 ff 04 00 00 09 08 00 45 00 ..............E.
0010 02 15 29 ed 00 00 40 11 12 1a 1e 64 00 09 1e 64 ..)... at ....d...d
0020 00 01 07 14 fb 8f 02 01 82 81 02 18 01 f9 0a 4f ...............O
0030 49 af 75 93 6d cf bc 48 a3 f1 12 f9 99 bc f5 ff I.u.m..H........
0040 1a 80 00 00 19 7f 01 01 e2 30 31 32 33 34 35 36 .........0123456
0050 37 38 39 30 31 32 33 34 35 36 37 38 39 30 31 32 7890123456789012
0060 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 3456789012345678
0070 39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 9012345678901234
0080 35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 30 5678901234567890
0090 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 1234567890123456
00a0 37 38 39 30 31 32 33 34 35 36 37 38 39 30 31 32 7890123456789012
00b0 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 3456789012345678
00c0 39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 9012345678901234
00d0 35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 30 5678901234567890
00e0 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 1234567890123456
00f0 37 38 39 30 31 32 33 34 35 36 37 38 39 30 31 32 7890123456789012
0100 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 3456789012345678
0110 39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 9012345678901234
0120 35 36 37 38 39 20 65 6e 64 02 ec 30 31 32 33 34 56789 end..01234
0130 35 36 37 38 39 30 31 32 33 34 35 36 37 f5 e6 1a 5678901234567...
0140 00 38 39 30 31 32 33 34 35 36 37 38 39 30 31 32 .890123456789012
0150 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 3456789012345678
0160 39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 9012345678901234
0170 35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 30 5678901234567890
0180 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 1234567890123456
0190 37 38 39 30 31 32 33 34 35 36 37 38 39 30 31 32 7890123456789012
01a0 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 3456789012345678
01b0 39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 9012345678901234
01c0 35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 30 5678901234567890
01d0 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 1234567890123456
01e0 37 38 39 30 31 32 33 34 35 36 37 38 39 30 31 32 7890123456789012
01f0 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 3456789012345678
0200 39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 9012345678901234
0210 35 36 37 38 39 20 65 6e 64 03 0a 74 65 73 74 20 56789 end..test
0220 76 73 61 vsa
Is this the expected behavior? Did I do something wrong?
Let me know if you need more information.
Thanks in advance!
Kind regards,
Ruben
More information about the Freeradius-Users
mailing list