Do not interpret long class attributes (such as from NPS) as group
authorMartin Willi <martin@revosec.ch>
Fri, 9 Jul 2010 11:53:43 +0000 (13:53 +0200)
committerMartin Willi <martin@revosec.ch>
Fri, 9 Jul 2010 11:53:43 +0000 (13:53 +0200)
src/libcharon/plugins/eap_radius/eap_radius.c

index dfb9778..4b1a879 100644 (file)
@@ -195,15 +195,23 @@ static void process_class(private_eap_radius_t *this, radius_message_t *msg)
        {
                if (type == RAT_CLASS)
                {
+                       identification_t *id;
                        ike_sa_t *ike_sa;
                        auth_cfg_t *auth;
 
+                       if (data.len >= 44)
+                       {       /* quirk: ignore long class attributes, these are used for
+                                * other purposes by some RADIUS servers (such as NPS). */
+                               continue;
+                       }
+
                        ike_sa = charon->bus->get_sa(charon->bus);
                        if (ike_sa)
                        {
                                auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
-                               auth->add(auth, AUTH_RULE_GROUP,
-                                                 identification_create_from_data(data));
+                               id = identification_create_from_data(data);
+                               DBG1(DBG_CFG, "received group membership '%Y' from RADIUS", id);
+                               auth->add(auth, AUTH_RULE_GROUP, id);
                        }
                }
        }