Hello, I was hoping to send a few salt-encrypted VSAs to an ERX using FreeRADIUS Version 1.0.4, but I can't find any examples of how to do that. Is it possible, and if so, how? The format of the VSAs is documented on http://www.juniper.net/techpubs/software/erx/junose700/swconfig-broadband/ht... My initial (far fetched) attempt was to modify dictionary.erx like this: VENDOR ERX 4874 BEGIN-VENDOR ERX ATTRIBUTE ERX-Virtual-Router-Name 1 string [..] ATTRIBUTE ERX-LI-Action 58 integer encrypt=1 ATTRIBUTE ERX-Med-Dev-Handle 59 string encrypt=1 ATTRIBUTE ERX-Med-Ip-Address 60 ipaddr encrypt=1 ATTRIBUTE ERX-Med-Port-Number 61 integer encrypt=1 END-VENDOR ERX [..] VALUE ERX-LI-Action off 0 VALUE ERX-LI-Action on 1 VALUE ERX-LI-Action noop 2 I also tried the other documented encrypt-values, with no success. As probably should be expected? The ERX seems to just ignore Access-Accept packets with any of these attributes. They are not even logged as received. Not much help there. Cisco has a bit better documentation with some examples (but not for FreeRADIUS) here: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122... Does anyone have an idea of how to do this with FreeRADIUS? Bjørn
Bjørn Mork <bjorn@mork.no> writes:
I was hoping to send a few salt-encrypted VSAs to an ERX using FreeRADIUS Version 1.0.4, but I can't find any examples of how to do that. Is it possible, and if so, how?
I should have Googled a bit more before posting... I have now read the relevant part of the source and alsp this very old and expired draft: http://www.freeradius.org/rfc/draft-ietf-radius-saltencrypt-00.txt My problem seems to be that FreeRADIUS will only encrypt string or octet values, while Juniper has defined salt encrypted integer and ipaddr VSAs too. Bjørn
=?iso-8859-1?Q?Bj=F8rn_Mork?= <bjorn@mork.no> wrote:
My problem seems to be that FreeRADIUS will only encrypt string or octet values, while Juniper has defined salt encrypted integer and ipaddr VSAs too.
Try setting "encrypt=2" for attribute 59. That should work there. For the non-string attributes, it may be possible to patch src/lib/radius.c to decrypt them, too. I wouldn't be surprised if the patch was only a few lines. But either you need C experience to write the patch, or you need to supply the packet data to someone who can write the patch. Alan DeKok.
"Alan DeKok" <aland@ox.org> writes:
=?iso-8859-1?Q?Bj=F8rn_Mork?= <bjorn@mork.no> wrote:
My problem seems to be that FreeRADIUS will only encrypt string or octet values, while Juniper has defined salt encrypted integer and ipaddr VSAs too.
Try setting "encrypt=2" for attribute 59. That should work there.
Yup. Thanks. I should have seen that 2 was the correct method.
For the non-string attributes, it may be possible to patch src/lib/radius.c to decrypt them, too. I wouldn't be surprised if the patch was only a few lines.
But either you need C experience to write the patch, or you need to supply the packet data to someone who can write the patch.
This seems to do the job: Any chance of getting something like this into the 1.0 branch, or should I prepare a nicer patch for CVS HEAD instead? There is also this dictionary update to go with it, but it's pretty useless without the patch: Bjørn
participants (2)
-
Alan DeKok -
Bjørn Mork