How to set Tag = 0x00 in Tunnel-Private-Group-ID attribute
aland at deployingradius.com
Wed Sep 25 01:25:19 CEST 2019
On Sep 24, 2019, at 6:54 PM, Phani Siriki <yvsg.phanis at gmail.com> wrote:
> Thank you for your reply. Sorry I should have been more clear. What I
> meant about RFC 2868 is, they didn't discuss tag=0x00 for
The text is pretty clear:
The Tag field is one octet in length and is intended to provide a
means of grouping attributes in the same packet which refer to the
same tunnel. If the value of the Tag field is greater than 0x00
and less than or equal to 0x1F, it SHOULD be interpreted as
indicating which tunnel (of several alternatives) this attribute
pertains. If the Tag field is greater than 0x1F, it SHOULD be
interpreted as the first byte of the following String field.
i.e. Tag values are 0x01 through 0x1f. Values 0x20 through 0xff are the VLAN name.
Value 0x00 is meaningless, and should not be put into a packet.
> Please find the some details below. Lets say I am trying to send
> Tunnel-private-group-id as 2.
> Access-Accept from Freeradius:
> AVP: t=Tunnel-Private-Group-Id(81) l=3 val=2
> Type: 81
> Length: 3 ==========> No tag id set. Any specific reason
> for this? Should it be set 0x00 and sent from Freeradius.
> Tunnel-Private-Group-Id: 2
The tag isn't set to 0x00 because FreeRADIUS doesn't send useless fields.
> Access-packet from Pulse Secure radius server:
> AVP: t=Tunnel-Type(64) l=6 Tag=0x00 val=VLAN(13)
> Type: 64
> Length: 6
> Tag: 0x00 . ==========> Tag id set
> Tunnel-Type: VLAN (13)
Because Pulse Secure is wrong. If the tag field is 0x00, it should be removed from the packet.
However, NAS vendors tend to be forgiving about what they accept. So they ignore the tag of zero.
FreeRADIUS also ignores values of 0x00 when it receives those attributes. But FreeRADIUS doesn't *add* a useless field of 0x00 when sending packets.
> There is no problem doing authentication with Freeradius server. Its
> working perfectly.
> We are trying to determine the behavior of tag field in
> Tunnel-private-group-id -
> - tag=0x00, Just treat it as same tunnel?
> - tag field is not present at all.
> Just curious to know what is the reason for not setting tag id ==0x00
> in Tunnel-private-group-id.
Read RFC 2868. Valid tag values are 0x01 through 0x1f, inclusive. The value 0x00 is NOT a tag ID. It is NOT a tag value. It is NOT encoded into a packet.
I'm not sure why you care. If the NAS equipment works, then it doesn't matter what FreeRADIUS sends. If you're trying to understand the RFCs, then this list isn't the place to do that.
More information about the Freeradius-Users