[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: How to set Tag = 0x00 in Tunnel-Private-Group-ID attribute
From:       Phani Siriki <yvsg.phanis () gmail ! com>
Date:       2019-09-24 23:31:54
Message-ID: CADsGw2aLhse4V-3347x6sb12uCt_ZkVDK5RsYUBQXWpxWzxmqw () mail ! gmail ! com
[Download RAW message or body]

Hi Alan

Sorry to bother you. Thank you for the inputs.

Best Regards

On Tue, Sep 24, 2019 at 4:25 PM Alan DeKok <aland@deployingradius.com> wrote:
> 
> On Sep 24, 2019, at 6:54 PM, Phani Siriki <yvsg.phanis@gmail.com> wrote:
> > Thank you for your reply. Sorry I should have been more clear. What I
> > meant about RFC 2868 is, they didn't discuss tag=0x00 for
> > Tunnel-private-group-id.
> > 
> > https://tools.ietf.org/html/rfc2868#section-3.6
> 
> The text is pretty clear:
> 
> Tag
> The Tag field is one octet in length and is intended to provide a
> means of grouping attributes in the same packet which refer to the
> same tunnel.  If the value of the Tag field is greater than 0x00
> and less than or equal to 0x1F, it SHOULD be interpreted as
> indicating which tunnel (of several alternatives) this attribute
> pertains.  If the Tag field is greater than 0x1F, it SHOULD be
> interpreted as the first byte of the following String field.
> 
> i.e. Tag values are 0x01 through 0x1f.  Values 0x20 through 0xff are the VLAN name.
> 
> Value 0x00 is meaningless, and should not be put into a packet.
> 
> > Please find the some details below. Lets say I am trying to send
> > Tunnel-private-group-id as 2.
> > 
> > Access-Accept from Freeradius:
> > =====
> ...
> > AVP: t=Tunnel-Private-Group-Id(81) l=3 val=2
> > Type: 81
> > Length: 3   ==========> No tag id set. Any specific reason
> > for this? Should it be set 0x00 and sent from Freeradius.
> > Tunnel-Private-Group-Id: 2
> 
> The tag isn't set to 0x00 because FreeRADIUS doesn't send useless fields.
> 
> > Access-packet from Pulse Secure radius server:
> > ====================================
> > ...
> > AVP: t=Tunnel-Type(64) l=6 Tag=0x00 val=VLAN(13)
> > Type: 64
> > Length: 6
> > Tag: 0x00 .   ==========> Tag id set
> > Tunnel-Type: VLAN (13)
> 
> Because Pulse Secure is wrong.  If the tag field is 0x00, it should be removed from \
> the packet. 
> However, NAS vendors tend to be forgiving about what they accept.  So they ignore \
> the tag of zero. 
> FreeRADIUS also ignores values of 0x00 when it receives those attributes.  But \
> FreeRADIUS doesn't *add* a useless field of 0x00 when sending packets. 
> > There is no problem doing authentication with Freeradius server. Its
> > working perfectly.
> 
> Exactly.
> 
> > We are trying to determine the behavior of  tag field in
> > Tunnel-private-group-id -
> > - tag=0x00, Just treat it as same tunnel?
> > - tag field is not present at  all.
> > 
> > Just curious to know what is the reason for not setting tag id ==0x00
> > in Tunnel-private-group-id.
> 
> Read RFC 2868.  Valid tag values are 0x01 through 0x1f, inclusive.  The value 0x00 \
> is NOT a tag ID.  It is NOT a tag value.  It is NOT encoded into a packet. 
> I'm not sure why you care.  If the NAS equipment works, then it doesn't matter what \
> FreeRADIUS sends.  If you're trying to understand the RFCs, then this list isn't \
> the place to do that. 
> Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]