>> Cisco Nexus with NXOS Version older than 4.2 (4.0 and 4.1) don?t like >> the entry "Vendor-Specific = 9". > > What does that mean? > >> It seems that freeradius add this automatically if it?s not within the >> config. > > No. FreeRADIUS adds almost nothing automatically. > >> But, when i put it in the config, the dump shows "bad udp checksum", >> wireshark "AVP too long". When i remove this line from the config, >> "vendor-specific=9" is also transmitted, but without checksum/avp too >> long error. >> >> Is this behavior documented anywhere? >> I didn?t found this. > > See the FAQ for "it doesn't work". > > You haven't shown us the wireshark output. You haven't shown us the > configuration you added. > > Short summaries are *not* enough. We need the *exact* information. > > Alan DeKok.
Hi Alan, Please find the dumps attached. ========================== dump_ok.cap test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password := "098f6bcd4621d373cade4e832627b4f6" Login-Service = Telnet, # Vendor-Specific = Cisco, Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\"" ========================== dump_notok.cap test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password := "098f6bcd4621d373cade4e832627b4f6" Login-Service = Telnet, Vendor-Specific = Cisco, Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\"" ========================== dump_notok_2.cap test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password := "098f6bcd4621d373cade4e832627b4f6" Login-Service = Telnet, Vendor-Specific = 9, Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\"" ========================== On Cisco Nexus older NXOS Version 4.2 login is possible with the last config (dump_notok_2.cap", But roles within the av-pairs are ignored. Newer devices (NXOS 4.2 and up) will ignore the "AVP too short" And takeover the roles from the radius paket. Seems that there was an update in the radius implementaion to make it more robust. And as you can see in the dump_ok.cap, "Vendor-Specific=9" was send, even if it was not in the config. But there is an other cisco av-pair in the config, is this the reason why the vendor-id was added to the reply? Jan
dump_ok.cap
Description: dump_ok.cap
dump_notok.cap
Description: dump_notok.cap
dump_notok_2.cap
Description: dump_notok_2.cap
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html