How to set Tag = 0x00 in Tunnel-Private-Group-ID attribute

Alan DeKok aland at
Wed Sep 25 01:25:19 CEST 2019

On Sep 24, 2019, at 6:54 PM, Phani Siriki <yvsg.phanis at> wrote:
> Thank you for your reply. Sorry I should have been more clear. What I
> meant about RFC 2868 is, they didn't discuss tag=0x00 for
> Tunnel-private-group-id.

  The text is pretty clear:

      The Tag field is one octet in length and is intended to provide a
      means of grouping attributes in the same packet which refer to the
      same tunnel.  If the value of the Tag field is greater than 0x00
      and less than or equal to 0x1F, it SHOULD be interpreted as
      indicating which tunnel (of several alternatives) this attribute
      pertains.  If the Tag field is greater than 0x1F, it SHOULD be
      interpreted as the first byte of the following String field.

  i.e. Tag values are 0x01 through 0x1f.  Values 0x20 through 0xff are the VLAN name.

  Value 0x00 is meaningless, and should not be put into a packet.

> Please find the some details below. Lets say I am trying to send
> Tunnel-private-group-id as 2.
> Access-Accept from Freeradius:
> =====
>        AVP: t=Tunnel-Private-Group-Id(81) l=3 val=2
>            Type: 81
>            Length: 3   ==========> No tag id set. Any specific reason
> for this? Should it be set 0x00 and sent from Freeradius.
>            Tunnel-Private-Group-Id: 2

  The tag isn't set to 0x00 because FreeRADIUS doesn't send useless fields.

> Access-packet from Pulse Secure radius server:
> ====================================
> ...
>        AVP: t=Tunnel-Type(64) l=6 Tag=0x00 val=VLAN(13)
>            Type: 64
>            Length: 6
>            Tag: 0x00 .   ==========> Tag id set
>            Tunnel-Type: VLAN (13)

  Because Pulse Secure is wrong.  If the tag field is 0x00, it should be removed from the packet.

  However, NAS vendors tend to be forgiving about what they accept.  So they ignore the tag of zero.

  FreeRADIUS also ignores values of 0x00 when it receives those attributes.  But FreeRADIUS doesn't *add* a useless field of 0x00 when sending packets.

> There is no problem doing authentication with Freeradius server. Its
> working perfectly.


> We are trying to determine the behavior of  tag field in
> Tunnel-private-group-id -
> - tag=0x00, Just treat it as same tunnel?
> - tag field is not present at  all.
> Just curious to know what is the reason for not setting tag id ==0x00
> in Tunnel-private-group-id.

  Read RFC 2868.  Valid tag values are 0x01 through 0x1f, inclusive.  The value 0x00 is NOT a tag ID.  It is NOT a tag value.  It is NOT encoded into a packet.

  I'm not sure why you care.  If the NAS equipment works, then it doesn't matter what FreeRADIUS sends.  If you're trying to understand the RFCs, then this list isn't the place to do that.

  Alan DeKok.

More information about the Freeradius-Users mailing list