[RADIATOR] VLAN RADIUS attributes and packets

[Jethro R Binks]

Hi,

For some time I have been investigating some aberrant behaviour when 
trying to switch user VLANs via RADIUS on our APs.  I have made an 
observation, and I do not know if it is relevant, so I state it here and 
the wise minds might be able to enlighten me.

So I have lots of config, but the salient part boils down to this:

<Handler Realm="strath.ac.uk", EAP-Message=/.+/>
        Identifier      eap-outer-local
        AuthBy          ITSAuthEAPOuter
        RejectHasReason
        AuthLog         authlogouter
        AuthLog         authsyslog
        AddToReply  \
                    Tunnel-Type=1:VLAN, \
                    Tunnel-Medium-Type=1:Ether_802, \
                    Tunnel-Private-Group-ID=1:%{GlobalVar:EduroamLUserVLAN}
...

You will note that this is an outer authentication handler.

My observation is that Radiator adds the attributes to all the packets, 
including the Access-Challenge packets.  I would vaguely have thought that 
they only matter on the Access-Accept final reply, however I am beginning 
to suspect that some of my APs do care and don't work properly if the 
attribute appears in the Access-Challenge responses (in discussion with 
vendor about that one).

Does anyone have a view on what correct behaviour should be, whether it 
matters, or if this is know to cause an issue with some hardware?

Is there a way to ensure that the attributes are only added to the final 
reply, in case it does actually matter in some environments?

Jethro.

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.