[RADIATOR] VLAN RADIUS attributes and packets

[Heikki Vatiainen]

On 09/12/2011 05:34 PM, Jethro R Binks wrote:

Hello Jethro,

> My observation is that Radiator adds the attributes to all the packets, 
> including the Access-Challenge packets.  I would vaguely have thought that 
> they only matter on the Access-Accept final reply, however I am beginning 
> to suspect that some of my APs do care and don't work properly if the 
> attribute appears in the Access-Challenge responses (in discussion with 
> vendor about that one).

If you find out if there's a problem with the AP behaviour, please let
the list know. So far I have not heard about attributes in
Access-Challenges causing problems.

> Does anyone have a view on what correct behaviour should be, whether it 
> matters, or if this is know to cause an issue with some hardware?

Closest discussion I know of the topic is this:

http://tools.ietf.org/html/rfc5080#section-2.5

But even this does not discuss Access-Challenge. It does hint for
caution, but in case of VLAN assignment, I would say the client should
just ignore the attributes until the Access-Accept.

> Is there a way to ensure that the attributes are only added to the final 
> reply, in case it does actually matter in some environments?

You can move the AddToReply into inner AuthBy. The attributes will be
copied to outgoing Access-Accept but not to challenges.

If that is not possible, you could use a PostAuthHook that checks the
result and only does add_attr() if the result was ACCEPT. See the
reference manual for more about PostAuthHook parameters and
goodies/hooks.txt for PostAuthHook examples.

Thanks!
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.