Vendor Extended attributes for freeradius dictionary acme

Alan DeKok aland at deployingradius.com
Wed Jan 8 04:19:09 CET 2020


On Jan 7, 2020, at 9:57 PM, Bill Schartner <bill.schartner at oracle.com> wrote:
>     I am running freeradius 3.0.13 and recently upgraded from 2.2.6 in order to use the extended attributes as specified in RFC6929. I have the new radius working fine.

  That's good.  I would recommend upgrading to 3.0.20, though.  IIRC it has some fixes for encoding / decoding of extended attributes.

>    Oracle has defined a new VSA attribute with number 249 for the acme dictionary and some additional extended attributes to address avp depletion in the dictionary.    It looks like the acme dictionary for freeradius is not up to date so we may need to eventually resync them.

  That would be good.

> What I am trying to do is add VSA 249 to the acme dictionary as type evs and then add 14 additional attributes to an additional file called dictionary.acme.extended.
> I'm not sure if this is the right procedure.

  You can't create a VSA and give it type "evs" or "extended".  RFC 6929 forbids that.  If you try to create a vendor dictionary using the "evs" data type, the server will complain and disallow it.

  You have to define a new vendor space.  See https://tools.ietf.org/html/rfc6929#section-4

  i.e. If the old vendor space was: 26.9148.*, the new one is 241.26.9148.*, and 242.26.9148.*, etc.

  RFC 6929 does not extend the existing VSA space.  It creates *new* VSA spaces which are located outside of the existing "Vendor-Specific" VSA space.

  Unfortunately, the format of the new dictionaries is documented only in the code.  I'll see if I can fix that before the next release.

  You should dictionary which looks like this:

BEGIN-VENDOR Acme format=Extended-Vendor-Specific-1
ATTRIBUTE Acme-PGW-IP-Address 1 integer
ATTRIBUTE Acme-SGW-IP-Address 2 integer
...
END-VENDOR Acme

  That defines Acme-PGW-IP-Address has having OID 241.26.9148.1.  The attribute encoding is:

- one byte of 241
- one byte of length (12)
- one byte of 26
- four bytes of 9148 in network byte order
- one byte of 1
- 4 bytes of the integer value

  If you want to use more VSAs, you need to define more VSA spaces:

BEGIN-VENDOR Acme format=Extended-Vendor-Specific-2
...
END-VENDOR

BEGIN-VENDOR Acme format=Extended-Vendor-Specific-3
...
END-VENDOR

  It's not trivial, but it's the end result of ~6 years of arguing in the IETF.  It's the best solution we could come up with.

  Alan DeKok.




More information about the Freeradius-Users mailing list