Juniper Questions (MX/ERX)

Bjørn Mork bjorn at mork.no
Wed Jan 25 21:22:30 CET 2012 

"Paul Stewart" <paul at paulstewart.org> writes:

> I'm trying to get an understanding on a FreeRadius installation how to
> enable the unisphere.dictionary.  There are specific attributes in that file
> that we need such as "Unisphere-Ingress-Policy-Name".  By default, this
> dictionary file is commented out due to "attribute conflicts".
>
>  
>
> Can someone share a bit more info?  I need unisphere attributes and also erx
> attributes to function on the same FreeRadius system ultimately .. We have a
> mixture of Juniper ERX equipment and Juniper MX equipment that needs to talk
> to FreeRadius.

So do we.  And it does work very well with the default FreeRADIUS
dictionaries. 

> When I try to add a "Unisphere-Ingress-Policy-Name = 512k" for example in
> the users file I get "invalid integer" error.

There is no Unishpere dictionary.  It has always been dictionary.erx
from the beginning of FreeRADIUS.  And the attributes all have "ERX"
prefix, even those that are JUNOS specific (with the exception of some
"Sdx" attributes. Don't know how that happend.  Hope it wasn't me :-). 

I chose to continue using the ERX prefix for the latest batch of JUNOS
specific attributes, to keep the vendor id to attribute prefix mapping
consistent. I'd like to hear comments on that decision from other
FreeRADIUS and multi-platform Juniper customers.

Juniper themselves use a mix of Jnpr, Unisphere, Sdx and Erx as prefixes
depending on which system the attribute is for.  But that does not
really work either, as some of the attributes are really multi-system.
Like ERX-Virtual-Router-Name (26-1) which is just as valid on both JUNOS
(MX access) and JUNOSe (ERX).  This was one of the main reasons why I
decided not to follow their route to confusion.  The other reason was
remembering when they renamed a few com.unisphere.* java classes to
net.juniper.* without thinking about the unnecessary confusion that
would create.  Made me aware that they really don't have a clue about
stable naming...

All in all, I believe the current FreeRADIUS dictionary makes more sense
than any of the alternatives.  And if in doubt you can always match up
the actual attribute codes.  Juniper are nice enough to document them.


Bjørn

More information about the Freeradius-Users mailing list