Tunnel-Private-Group-ID undefined tag.

Mon Jan 21 23:28:36 CET 2019

On Jan 21, 2019, at 4:05 PM, Fabrice Durand <fdurand at inverse.ca> wrote:
> 
> i am trying to debug an issue with FreerRADIUS and a cisco switch where the attribute Tunnel-Private-Group-ID (81) is understood by the cisco switch as the attribute Ascend-Auth-Type.
> 
> Jan 18 07:37:00: RADIUS:  Tunnel-Type         [64]  6 00:VLAN                   [13]
> Jan 18 07:37:00: RADIUS: Ascend-Auth-Type [81]  8   1868981865

  No... that's *not* a VSA.  There's no Vendor-ID.

> Jan 18 07:37:00: RADIUS:  Tunnel-Medium-Type  [65]  6 00:ALL_802                [6]
> Jan 18 07:37:00: RADIUS(00000000): Received from id 1645/16
> Jan 18 07:37:00: RADIUS: unsupported value 1868981865 in attribute 81
> Jan 18 07:37:00: RADIUS/DECODE: Ascend auth type; FAIL
> Jan 18 07:37:00: RADIUS/DECODE: decoder; FAIL
> Jan 18 07:37:00: RADIUS/DECODE: attribute Ascend-Auth-Type; FAIL
> 
> The issue is related to a configuration parameter (non-standard) defined in the radius configuration section (switch side).
> 
> So if i remove this configuration parameter it works.

  Call Cisco and tell them that their switch is buggy.  The kind of bug which of the kind: "How the HECK did you do something that ridiculous"?

  Ask them to provide a fix.  RFC 2868 is from 2000.  i.e. it's 20 years old.  There's just no excuse for this kind of incompatibility.

> Is it a bug in FreeRADIUS or is it something normal ?

  The RFCs make it clear that (a) tagged integers are special, there's no real "tag" field and (b) tags of 0 are special.

  Alan DeKok.