RFC Errata
Found 6 records.
Status: Verified (4)
RFC 2865, "Remote Authentication Dial In User Service (RADIUS)", June 2000
Note: This RFC has been updated by RFC 2868, RFC 3575, RFC 5080, RFC 6929, RFC 8044
Source of RFC: radius (ops)
Errata ID: 368
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Aaron Webb
Date Reported: 2002-09-12
Section 5.18 says:
Multiple Reply-Message's MAY be included and if any are displayed, they MUST be displayed in the same order as they appear in the packet.
It should say:
Multiple Reply-Messages MAY be included and if any are displayed, they MUST be displayed in the same order as they appear in the packet.
Errata ID: 1469
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Isaac NickAein
Date Reported: 2008-07-13
Verifier Name: Dan Romascanu
Date Verified: 2011-08-03
Section 7.3. says:
02 01 00 38 15 ef bc 7d ab 26 cf a3 dc 34 d9 c0 3c 86 01 a4 06 06 00 00 00 02 07 06 00 00 00 01 08 06 ff ff ff fe 0a 06 00 00 00 02 0d 06 00 00 00 01 0c 06 00 00 05 dc
It should say:
02 01 00 38 E8 6F A2 FE 28 70 33 AD 2F 6D 5C A3 F7 41 5D A2 06 06 00 00 00 02 07 06 00 00 00 01 08 06 FF FF FF FE 0A 06 00 00 00 00 0D 06 00 00 00 01 0C 06 00 00 05 DC
Notes:
in Attributes, "Framed-Routing" came with value "None" (0)
but in Hex dump of packet the value for this attribute is "Listen for routing packets" (2)
Correct Hex Dump, or Attributes.
Corrected Attributes is:
Attributes:
6 Service-Type (6) = Framed (2)
6 Framed-Protocol (7) = PPP (1)
6 Framed-IP-Address (8) = 255.255.255.254
6 Framed-Routing (10) = Listen for routing packets (2)
6 Framed-Compression (13) = VJ TCP/IP Header Compression (1)
6 Framed-MTU (12) = 1500
----------
VERIFIER NOTE: Referenced section should be 7.2 and not 7.3
Errata ID: 6486
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Paul Bennett
Date Reported: 2021-03-18
Verifier Name: Robert Wilton
Date Verified: 2021-03-24
Section 7.3 says:
The state is the magic cookie from the Access-Challenge packet, unchanged. 01 03 00 43 b1 22 55 6d 42 8a 13 d0 d6 25 38 07 c4 57 ec f0 01 07 6d 6f 70 73 79 02 12 69 2c 1f 20 5f c0 81 b9 19 b9 51 95 f5 61 a5 81 04 06 c0 a8 01 10 05 06 00 00 00 07 18 10 33 32 37 36 39 34 33 30 1 Code = Access-Request (1)
It should say:
The state is the magic cookie from the Access-Challenge packet, unchanged. 01 03 00 43 b1 22 55 6d 42 8a 13 d0 d6 25 38 07 c4 57 ec f0 01 07 6d 6f 70 73 79 02 12 69 2c 1f 20 5f c0 81 b9 19 b9 51 95 f5 61 a5 81 04 06 c0 a8 01 10 05 06 00 00 00 07 18 0a 33 32 37 36 39 34 33 30 1 Code = Access-Request (1)
Notes:
Mistake is length of last attribute of sample packet on page 70, in penultimate line of hex dump. RFC has 0x10; correct value is 0x0a. (Sample on page 69 shows correct value.)
Errata ID: 2712
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Wang Haojian
Date Reported: 2011-02-12
Verifier Name: Dan Romascanu
Date Verified: 2011-02-13
Section 5 says:
Note that none of the types in RADIUS terminate with a NUL (hex 00). In particular, types "text" and "string" in RADIUS do not terminate with a NUL (hex 00). The Attribute has a length field and does not use a terminator. Text contains UTF-8 encoded 10646 [7] characters and String contains 8-bit binary data. Servers and servers and clients MUST be able to deal with embedded nulls. ^^^^^^^^^^^^
It should say:
Note that none of the types in RADIUS terminate with a NUL (hex 00). In particular, types "text" and "string" in RADIUS do not terminate with a NUL (hex 00). The Attribute has a length field and does not use a terminator. Text contains UTF-8 encoded 10646 [7] characters and String contains 8-bit binary data. Servers and clients MUST be able to deal with embedded nulls.
Notes:
Unnecessary Words.
Status: Held for Document Update (1)
RFC 2865, "Remote Authentication Dial In User Service (RADIUS)", June 2000
Note: This RFC has been updated by RFC 2868, RFC 3575, RFC 5080, RFC 6929, RFC 8044
Source of RFC: radius (ops)
Errata ID: 6915
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Oleg Pekar
Date Reported: 2022-04-02
Held for Document Update by: Rob Wilton
Date Held: 2024-02-09
Section 5 says:
The Value field is zero or more octets and contains information specific to the Attribute.
It should say:
The Value field is one or more octets and contains information specific to the Attribute.
Notes:
Section "5. Attributes" is ambiguous when it talks about the attribute value size:
First it says: "The Value field is zero or more octets", then it provides 5 possible value data types none of which allows a zero length value. For 'text' type it says: "Text of length zero (0) MUST NOT be sent; omit the entire attribute instead" and the same for 'string' type.
Section "5.26. Vendor-Specific" also says about the value of a vendor-specific attribute "The String field is one or more octets".
Thus the RFC allows empty values for attributes in general but prohibits for any declared types of the attributes.
Status: Rejected (1)
RFC 2865, "Remote Authentication Dial In User Service (RADIUS)", June 2000
Note: This RFC has been updated by RFC 2868, RFC 3575, RFC 5080, RFC 6929, RFC 8044
Source of RFC: radius (ops)
Errata ID: 4077
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Axel Luttgens
Date Reported: 2014-08-10
Rejected by: Benoit Claise
Date Rejected: 2014-10-07
Section 3 says:
Response Authenticator The value of the Authenticator field in Access-Accept, Access- Reject, and Access-Challenge packets is called the Response Authenticator, and contains a one-way MD5 hash calculated over a stream of octets consisting of: the RADIUS packet, beginning with the Code field, including the Identifier, the Length, the Request Authenticator field from the Access-Request packet, and the response Attributes, followed by the shared secret. That is, ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) where + denotes concatenation.
It should say:
Response Authenticator The value of the Authenticator field in Access-Accept, Access- Reject, and Access-Challenge packets is called the Response Authenticator, and contains a one-way MD5 hash calculated over a stream of octets consisting of: the response Code field, the Identifier, the response Length, the Request Authenticator, the response Attributes, and finally the shared secret. That is, ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) where + denotes concatenation.
Notes:
This sentence fragment "[...] consisting of: the RADIUS packet, [...]" tends to imply one is considering either the Access-Request packet, or the reply packet being under construction.
But this is inconsistent with the idea of having the the MD5 hash calculated over both the Request Authenticator and the response Attributes...
--VERIFIER NOTES--
As discussed with the AAA doctors