Tunnel-Private-Group-ID undefined tag.

Alan DeKok aland at deployingradius.com
Mon Jan 21 23:24:02 CET 2019 

On Jan 21, 2019, at 4:40 PM, Fabrice Durand <fdurand at inverse.ca> wrote:
> 
> Sorry for the screen capture.
> 
> Here the reply with tag equal to 1:
> 
> Frame 6: 80 bytes on wire (640 bits), 80 bytes captured (640 bits) on interface 0
> Ethernet II, Src: Vmware_1c:1f:3d (00:0c:29:1c:1f:3d), Dst: Vmware_9d:00:59 (00:50:56:9d:00:59)
> Internet Protocol Version 4, Src: 172.20.135.4, Dst: 172.20.110.250
> User Datagram Protocol, Src Port: 1812, Dst Port: 34863
> RADIUS Protocol
>     Code: Access-Accept (2)
>     Packet identifier: 0x86 (134)
>     Length: 38
>     Authenticator: 9bbbb286df738ecf24be871d7b95de37
>     [This is a response to a request in frame 5]
>     [Time from request: 0.011010775 seconds]
>     Attribute Value Pairs
>         AVP: t=Tunnel-Type(64) l=6 Tag=0x01 val=VLAN(13)
>         AVP: t=Tunnel-Medium-Type(65) l=6 Tag=0x01 val=IEEE-802(6)
>         AVP: t=Tunnel-Private-Group-Id(81) l=6 Tag=0x01 val=195

  Note that Tunnel-Private-Group-Id is an "integer" attribute.  The tag is in the upper 8 bits, and the lower 24 bits are the value.

> And the one with the tag unset:
> 
> Frame 6: 79 bytes on wire (632 bits), 79 bytes captured (632 bits) on interface 0
> Ethernet II, Src: Vmware_1c:1f:3d (00:0c:29:1c:1f:3d), Dst: Vmware_9d:00:59 (00:50:56:9d:00:59)
> Internet Protocol Version 4, Src: 172.20.135.4, Dst: 172.20.110.250
> User Datagram Protocol, Src Port: 1812, Dst Port: 34863
> RADIUS Protocol
>     Code: Access-Accept (2)
>     Packet identifier: 0x87 (135)
>     Length: 37
>     Authenticator: 50e7dce3cdc0c2d5391576d11372c573
>     [This is a response to a request in frame 5]
>     [Time from request: 0.003153571 seconds]
>     Attribute Value Pairs
>         AVP: t=Tunnel-Type(64) l=6 Tag=0x00 val=VLAN(13)
>         AVP: t=Tunnel-Medium-Type(65) l=6 Tag=0x00 val=IEEE-802(6)
>         AVP: t=Tunnel-Private-Group-Id(81) l=5 val=195
> 
> You can see that when there is no tag then it miss Tag=0x00 for the attribute 81.

  No.  You're see that Wireshark doesn't *print* the tag in that case.

  If you want to see what's happening on the wire, look at the hex dumps of the attributes.  And, read the RFCs to see how horrific the tag format is.

  Alan DeKok.

More information about the Freeradius-Users mailing list