Do not interpret long class attributes (such as from NPS) as group

diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
index dfb97786a5eb49bb0116a573fb2858ad024e7e88..4b1a879c385bcf52c901488d23d3be8aa09a2f70 100644 (file)
--- a/src/libcharon/plugins/eap_radius/eap_radius.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -195,15 +195,23 @@ static void process_class(private_eap_radius_t *this, radius_message_t *msg)
        {
                if (type == RAT_CLASS)
                {
+                       identification_t *id;
                        ike_sa_t *ike_sa;
                        auth_cfg_t *auth;
 
+                       if (data.len >= 44)
+                       {       /* quirk: ignore long class attributes, these are used for
+                                * other purposes by some RADIUS servers (such as NPS). */
+                               continue;
+                       }
+
                        ike_sa = charon->bus->get_sa(charon->bus);
                        if (ike_sa)
                        {
                                auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
-                               auth->add(auth, AUTH_RULE_GROUP,
-                                                 identification_create_from_data(data));
+                               id = identification_create_from_data(data);
+                               DBG1(DBG_CFG, "received group membership '%Y' from RADIUS", id);
+                               auth->add(auth, AUTH_RULE_GROUP, id);
                        }
                }
        }