[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: How to set Tag = 0x00 in Tunnel-Private-Group-ID attribute
From: Phani Siriki <yvsg.phanis () gmail ! com>
Date: 2019-09-24 23:31:54
Message-ID: CADsGw2aLhse4V-3347x6sb12uCt_ZkVDK5RsYUBQXWpxWzxmqw () mail ! gmail ! com
[Download RAW message or body]
Hi Alan
Sorry to bother you. Thank you for the inputs.
Best Regards
On Tue, Sep 24, 2019 at 4:25 PM Alan DeKok <aland@deployingradius.com> wrote:
>
> On Sep 24, 2019, at 6:54 PM, Phani Siriki <yvsg.phanis@gmail.com> wrote:
> > Thank you for your reply. Sorry I should have been more clear. What I
> > meant about RFC 2868 is, they didn't discuss tag=0x00 for
> > Tunnel-private-group-id.
> >
> > https://tools.ietf.org/html/rfc2868#section-3.6
>
> The text is pretty clear:
>
> Tag
> The Tag field is one octet in length and is intended to provide a
> means of grouping attributes in the same packet which refer to the
> same tunnel. If the value of the Tag field is greater than 0x00
> and less than or equal to 0x1F, it SHOULD be interpreted as
> indicating which tunnel (of several alternatives) this attribute
> pertains. If the Tag field is greater than 0x1F, it SHOULD be
> interpreted as the first byte of the following String field.
>
> i.e. Tag values are 0x01 through 0x1f. Values 0x20 through 0xff are the VLAN name.
>
> Value 0x00 is meaningless, and should not be put into a packet.
>
> > Please find the some details below. Lets say I am trying to send
> > Tunnel-private-group-id as 2.
> >
> > Access-Accept from Freeradius:
> > =====
> ...
> > AVP: t=Tunnel-Private-Group-Id(81) l=3 val=2
> > Type: 81
> > Length: 3 ==========> No tag id set. Any specific reason
> > for this? Should it be set 0x00 and sent from Freeradius.
> > Tunnel-Private-Group-Id: 2
>
> The tag isn't set to 0x00 because FreeRADIUS doesn't send useless fields.
>
> > Access-packet from Pulse Secure radius server:
> > ====================================
> > ...
> > AVP: t=Tunnel-Type(64) l=6 Tag=0x00 val=VLAN(13)
> > Type: 64
> > Length: 6
> > Tag: 0x00 . ==========> Tag id set
> > Tunnel-Type: VLAN (13)
>
> Because Pulse Secure is wrong. If the tag field is 0x00, it should be removed from \
> the packet.
> However, NAS vendors tend to be forgiving about what they accept. So they ignore \
> the tag of zero.
> FreeRADIUS also ignores values of 0x00 when it receives those attributes. But \
> FreeRADIUS doesn't *add* a useless field of 0x00 when sending packets.
> > There is no problem doing authentication with Freeradius server. Its
> > working perfectly.
>
> Exactly.
>
> > We are trying to determine the behavior of tag field in
> > Tunnel-private-group-id -
> > - tag=0x00, Just treat it as same tunnel?
> > - tag field is not present at all.
> >
> > Just curious to know what is the reason for not setting tag id ==0x00
> > in Tunnel-private-group-id.
>
> Read RFC 2868. Valid tag values are 0x01 through 0x1f, inclusive. The value 0x00 \
> is NOT a tag ID. It is NOT a tag value. It is NOT encoded into a packet.
> I'm not sure why you care. If the NAS equipment works, then it doesn't matter what \
> FreeRADIUS sends. If you're trying to understand the RFCs, then this list isn't \
> the place to do that.
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic