Vendor-Specific attribute with rlm_rest
Michael A Carpenter - macarpen@us.ibm.com
macarpen at us.ibm.com
Thu May 7 22:42:11 CEST 2020
On May 7, 2020, at 2:45 PM, Alan DeKok <aland at deployingradius.com<mailto:aland at deployingradius.com>> wrote:
On May 7, 2020, at 2:17 PM, Michael A Carpenter - macarpen at us.ibm.com<mailto:macarpen at us.ibm.com> <macarpen at us.ibm.com<mailto:macarpen at us.ibm.com>> wrote:
I'm trying to return the Vendor-Specific attribute with value "H=4,I=4" using the rlm_rest module. I've tried the following authorization response payloads:
{"Attr-26": "0x483d342c493d34"}
{"Vendor-Specific": "H=4,I=4"}
Both resulted in error:
Please don't do that. It's terrible. If you need that in order to interoperate with an idiot vendor, fine. But if you're doing something yourself, this is 1000% the wrong thing to do.
The former, vendor is SuperMicro
You *cannot* and *should not* specify values for the Vendor-Specific attribute. That attribute does not have values like other attributes. Instead, it carries a 32-bit vendor number, followed by encapsulated vendor attributes.
So... why are you doing this?
I arrived at those values based on http://lists.freeradius.org/pipermail/freeradius-users/2017-November/089770.html and https://www.supermicro.com/support/faqs/faq.cfm?faq=22374
Any suggestions for what might be incompatible about the value?
It fails to follow the RFCs. See
https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc8044-23section-2D3.14&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=OI48QQPIMZYKrUbG21FK_VAb6BR2rxkULb952GKjKYI&m=fIq6zgM93RvSIzpzsIi7vNOmXqFH5wJxnVK6JvguSFw&s=-9g8SQJuMKtaktXW5rjyrj4jSB0k75uC1EAfZOizIzs&e=
Which defines the "vsa" data type, for the Vendor-Specific attribute.
As the author of that specification, I feel uniquely qualified to say that your usage of Vendor-Specific is wrong. :)
No argument here :)
More information about the Freeradius-Users
mailing list