Header Only - DO NOT REMOVE - Extreme Networks

Radius password length


The Extreme XOS is not fully compliant with the RADIUS RFC 2865.
https://tools.ietf.org/html/rfc2865

In the RFC, the length of user is recommended to support at least 64 chars, and for the password at least 128 chars.
But the XOS implementation limits all user and password to 32 chars.
With telnet the password is truncated to 32 chars, but with ssh, the switch block directly without sending to the AAA server.
I understand the internal limitation, but the XOS must be fully compliant with the radius protocol, and the XOS must not apply his internal limit for the external AAA server

For the authentication on external Freeradius with Yubico OTP who generate 44 chars One Time Password, we can't use with this XOS.
Yubico is one of the best opensource OTP solution used by many many company (Google, Facebook, Github), so it could be very nice that the radius implementation permit more than 32 chars (64 at least).

Thanks

3 replies

Userlevel 1
Hello,

In the EXOS 16.1 User Guide on page 948 it is stated that for the RADIUS User-Password attribute RFC 2138 is being used, not RFC 2865.

For a list of further RADIUS attributes and the corresponding RFC within the EXOS implementation please see the full table on pages 974/975.
The 16.1 User Guide can be found at the following location: http://documentation.extremenetworks.com/exos/16.1/EXOS_User_Guide_16_1.pdf

In case this is causing an issue, as in your case with the Yubico OTP solution, I recommend opening up a feature request to see if this can be implemented.
The page is the 974 and 975 but it's mark to be Used by Network Login.
Il haven't found the same table for SessionManagment

The RFC2138 (1997) and the RFC2865 (2000) recommend both to support at least 64 chars for user, and for the password at least 128 chars in my reading.

I don't know how to opening up a feature request. If you have an URL ?

Thanks
Userlevel 1
This should be the same implementation.

For a feature request i recommend getting in touch with the account/sales team, so they can initiate this for you.

Reply