<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><base href="x-msg://4350/"><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks so much for that info… I did roll a ticket with Juniper and will follow up with them. If anything of substance comes out of this I’ll be sure to share back to the list for other Juniper users to benefit from ;)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Paul<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> freeradius-users-bounces+paul=paulstewart.org@lists.freeradius.org [mailto:freeradius-users-bounces+paul=paulstewart.org@lists.freeradius.org] <b>On Behalf Of </b>Arran Cudbard-Bell<br><b>Sent:</b> Monday, January 30, 2012 2:29 PM<br><b>To:</b> FreeRadius users mailing list<br><b>Subject:</b> Re: Mixed Environment Question<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Hi Paul,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Just double checked and found this is actually only a 'must' requirement for servers, unfortunately the requirements for clients are that they 'should' ignore unknown VSAs and attributes of an unknown type. I'm not entirely sure why that is, seems pretty dumb to me to reject a user if the packet contains VSAs from another vendor.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Honestly this is probably a bug in Juniper's RADIUS client implementation. We found a similar one in HP ProCurve's where the attribute offset wouldn't be incremented properly if a VSA was found with a non HP vendor ID... oops.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Apologies for the slightly incorrect info.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Best Regards,<o:p></o:p></p></div><div><p class=MsoNormal>Arran<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On 30 Jan 2012, at 19:39, Paul Stewart wrote:<o:p></o:p></p></div><p class=MsoNormal><br><br><o:p></o:p></p><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thank you for answering that question 100% - much appreciated.</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I will roll a ticket with Juniper as their MX series in my testing does *<b>not</b>* ignore additional VSA’s – I just proved it out in our lab. Their ERX series in particular does ignore additional VSA’s and a Cisco 7206VXR I just tested as well ignores them perfectly.</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Cheers,</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Paul</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p></div><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in;border-width:initial;border-color:initial'><div><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span class=apple-converted-space><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> </span></span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><a href="mailto:freeradius-users-bounces+paul=paulstewart.org@lists.freeradius.org">freeradius-users-bounces+paul=paulstewart.org@lists.freeradius.org</a> [mailto:freeradius-users-bounces+paul=<a href="mailto:paulstewart.org@lists.freeradius.org">paulstewart.org@lists.freeradius.org</a>]<span class=apple-converted-space> </span><b>On Behalf Of<span class=apple-converted-space> </span></b>Arran Cudbard-Bell<br><b>Sent:</b><span class=apple-converted-space> </span>Monday, January 30, 2012 1:18 PM<br><b>To:</b><span class=apple-converted-space> </span>FreeRadius users mailing list<br><b>Subject:</b><span class=apple-converted-space> </span>Re: Mixed Environment Question</span><o:p></o:p></p></div></div></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p></div></div><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>So far I have tested this on a Juniper ERX and it simply ignores the Cisco attributes, which was what I’m hoping for.</span><o:p></o:p></p></div></div><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p></div></div></div></blockquote><div><div><p class=MsoNormal> <o:p></o:p></p></div></div><div><div><p class=MsoNormal>It has to according to RFC 2865, if it doesn't open a support call with Juniper.<o:p></o:p></p></div></div><div><div><p class=MsoNormal><span class=apple-style-span><span style='font-size:11.5pt;font-family:"Calibri","sans-serif"'> </span></span><o:p></o:p></p></div></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>I plan to float some Juniper attributes towards some Cisco gear at some point to see how it handles it. Anyone have much practical experience with this? Is it expected to always ignore additional VSA’s or is it a ‘crap shoot’ depending on the vendor?</span><o:p></o:p></p></div></div></div></blockquote><div><div><p class=MsoNormal> <o:p></o:p></p></div></div><p class=MsoNormal style='margin-bottom:12.0pt'>Stick VSAs from as many different vendors as you want in the Reply. The NAS *MUST* ignore attributes that it can't process, it's one of the fundamentals of the RADIUS protocol.<o:p></o:p></p></div><div><div><p class=MsoNormal>-Arran<o:p></o:p></p></div></div><div><div><p class=MsoNormal> <o:p></o:p></p></div></div><div><div><p class=MsoNormal> <o:p></o:p></p></div></div><div><div><div><div><p class=MsoNormal><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black'>Arran Cudbard-Bell<br><a href="mailto:a.cudbardb@freeradius.org">a.cudbardb@freeradius.org</a><br><br>Betelwiki, Betelwiki, Betelwiki....<span class=apple-converted-space> </span><a href="http://wiki.freeradius.org/">http://wiki.freeradius.org/</a><span class=apple-converted-space> </span>!</span><o:p></o:p></p></div></div></div></div><div><p class=MsoNormal> <o:p></o:p></p></div><p class=MsoNormal><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif"'>-<br>List info/subscribe/unsubscribe? See<span class=apple-converted-space> </span><a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a><o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><div><p class=MsoNormal><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black'>Arran Cudbard-Bell<br><a href="mailto:a.cudbardb@freeradius.org">a.cudbardb@freeradius.org</a><br><br>Betelwiki, Betelwiki, Betelwiki....<span class=apple-converted-space> </span><a href="http://wiki.freeradius.org/">http://wiki.freeradius.org/</a> !<o:p></o:p></span></p></div></div></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>