'Re: Cisco-AVPair weirdness -- revisited'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cistron-radius
Subject:    Re: Cisco-AVPair weirdness -- revisited
From:       Alan DeKok <aland () striker ! ottawa ! on ! ca>
Date:       1999-08-27 14:59:23
[Download RAW message or body]

kMads Kiilerich <mk@solit.dk> wrote:
> It seemed as radiusd _told_ that it sent both avpairs, but the as5200
> only told that it received one. It seems like it is the "issue with
> duplicate attributes" that is biting me. However I was/am too confused by
> it to locate where the "bug" is...

  If you run the server in debugging mode, and you see:

 ...
  Cisco-AVPair = "foo"
  Cisco-AVPair = "bar"
 ...

  then BOTH are being sent to the NAS.

> Thus - according to Cisco - radiusd _should_ send multiple avpairs.
> "should"; not "perhaps" and "that depends"! ;)

  Agreed.  But Cistron may not sometimes.
 
> In RFC-2138 the possibility of attributes with several instances is
> mentioned. Is the "issue" with radiusd that it isn't allowed at all, or
> only for some hardcoded attributes?

  It isn't allowed, except in certain situations.  This behaviour is
arguably wrong.

  What I'd like to see from the new server is some sort of
dictionary extension, where you could reconfigure this behaviour.
i.e. Take the list of 'allowed' things from the bottom of the RFC, and
have the dictionary routines parse it.

  Then, the attribute handling code could check the 'allowed' values,
and add or replace attributes as necessary.

  But this requires other changes in the server, and it won't be easy.
 
> When I looked at the source some time ago it seemed as _all_ multiple
> instances was removed when the attributes was moved between the lists. Is
> it so? Or can you give a hint about what you know about the "issue"?

  Yes.

  BUT when a list is created, multiple attributes ARE allowed.

e.g.

bob	Password = "bob"
	Reply-Message = "foo",
	Reply-Message = "bar"
	Fall-Through = Yes

DEFAULT
	Reply-Message = "three",
	Reply-Message = "four"


  when bob logs in, he will get THREE Reply-Message attributes:

        Reply-Message = "foo",
        Reply-Message = "bar"
	Reply-Message = "three",


  The fourth message is silently discarded.

  This behaviour is confusing, and it makes me uncomfortable.  I hope
it can be corrected in the new server.

  Alan DeKok.

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic