[RADIATOR] VLAN RADIUS attributes and packets
Heikki Vatiainen
hvn at open.com.au
Mon Sep 12 14:25:48 CDT 2011
On 09/12/2011 05:34 PM, Jethro R Binks wrote:
Hello Jethro,
> My observation is that Radiator adds the attributes to all the packets,
> including the Access-Challenge packets. I would vaguely have thought that
> they only matter on the Access-Accept final reply, however I am beginning
> to suspect that some of my APs do care and don't work properly if the
> attribute appears in the Access-Challenge responses (in discussion with
> vendor about that one).
If you find out if there's a problem with the AP behaviour, please let
the list know. So far I have not heard about attributes in
Access-Challenges causing problems.
> Does anyone have a view on what correct behaviour should be, whether it
> matters, or if this is know to cause an issue with some hardware?
Closest discussion I know of the topic is this:
http://tools.ietf.org/html/rfc5080#section-2.5
But even this does not discuss Access-Challenge. It does hint for
caution, but in case of VLAN assignment, I would say the client should
just ignore the attributes until the Access-Accept.
> Is there a way to ensure that the attributes are only added to the final
> reply, in case it does actually matter in some environments?
You can move the AddToReply into inner AuthBy. The attributes will be
copied to outgoing Access-Accept but not to challenges.
If that is not possible, you could use a PostAuthHook that checks the
result and only does add_attr() if the result was ACCEPT. See the
reference manual for more about PostAuthHook parameters and
goodies/hooks.txt for PostAuthHook examples.
Thanks!
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list