radclient CoA and salt-encrypted attributes
Hello, We've been strugglig with CoA and LI on Juniper E-series. The problem is that JUNOSe by default require a few salt-encrypted VSAs also when using CoA, which means that they must be encrypted using an accounting request authenticator. But the salt-encryption code in libfreeradius bails out unless it is answering a request: bmork@xxxx:~/test$ bin/radclient -x -d share/freeradius e320:1700 coa secret -f testfiles/coa2 radclient: Failed to send packet for ID 243: ERROR: No request packet, cannot encrypt ERX-Med-Port-Number attribute in the vp. Sending CoA-Request of id 243 to 192.168.65.42 port 1700 Acct-Session-Id = "GigabitEthernet 1/0/3.100:100:0005245984" ERX-Med-Port-Number = 1984 The attached patch will use an accounting request authenticator when salt-encrypting for accounting, disconnect or coa. It has been verified to work against JUNOSe 7.3.4: bmork@xxxx:~/test$ bin/radclient -x -d share/freeradius e320:1700 coa secret -f testfiles/coa2 Sending CoA-Request of id 37 to 192.168.65.42 port 1700 Acct-Session-Id = "GigabitEthernet 1/0/3.100:100:0005246741" ERX-Med-Port-Number = 1984 ERX-LI-Action = on ERX-Med-Ip-Address = 10.0.0.2 ERX-Med-Dev-Handle = 0x4000dead rad_recv: CoA-ACK packet from host 192.168.65.42 port 1700, id=37, length=20 Is this something that could be added to the source? Is the routine still to file a bug and attach the patch? Bjørn
Bjørn Mork wrote:
We've been strugglig with CoA and LI on Juniper E-series. The problem is that JUNOSe by default require a few salt-encrypted VSAs also when using CoA, which means that they must be encrypted using an accounting request authenticator.
Ah, OK.
The attached patch will use an accounting request authenticator when salt-encrypting for accounting, disconnect or coa. It has been verified to work against JUNOSe 7.3.4:
I've applied it, with one change: the default for packets is to use original->request. This lets it work normally for CoA-ACK and Disconnect-Ack, too. With the patch as posted, it wouldn't work for those two packets. It's a bit of a corner case, but it's worth thinking about. Alan DeKok.
Alan DeKok <aland@deployingradius.com> writes:
Bjørn Mork wrote:
The attached patch will use an accounting request authenticator when salt-encrypting for accounting, disconnect or coa. It has been verified to work against JUNOSe 7.3.4:
I've applied it, with one change: the default for packets is to use original->request. This lets it work normally for CoA-ACK and Disconnect-Ack, too. With the patch as posted, it wouldn't work for those two packets.
It's a bit of a corner case, but it's worth thinking about.
Sure. Thanks. Bjørn
participants (2)
-
Alan DeKok -
Bjørn Mork