Mixed Environment Question

Arran Cudbard-Bell a.cudbardb at freeradius.org
Mon Jan 30 20:28:49 CET 2012 

Hi Paul,

Just double checked and found this is actually only a 'must' requirement for servers, unfortunately the requirements for clients are that they 'should' ignore unknown VSAs and attributes of an unknown type. I'm not entirely sure why that is, seems pretty dumb to me to reject a user if the packet contains VSAs from another vendor.

Honestly this is probably a bug in Juniper's RADIUS client implementation. We found a similar one in HP ProCurve's where the attribute offset wouldn't be incremented properly if a VSA was found with a non HP vendor ID... oops.

Apologies for the slightly incorrect info.

Best Regards,
Arran

On 30 Jan 2012, at 19:39, Paul Stewart wrote:

> Thank you for answering that question 100% - much appreciated.
>  
> I will roll a ticket with Juniper as their MX series in my testing does *not* ignore additional VSA’s – I just proved it out in our lab. Their ERX series in particular does ignore additional VSA’s and a Cisco 7206VXR I just tested as well ignores them perfectly.
>  
> Cheers,
>  
> Paul
>  
>  
> From: freeradius-users-bounces+paul=paulstewart.org at lists.freeradius.org [mailto:freeradius-users-bounces+paul=paulstewart.org at lists.freeradius.org] On Behalf Of Arran Cudbard-Bell
> Sent: Monday, January 30, 2012 1:18 PM
> To: FreeRadius users mailing list
> Subject: Re: Mixed Environment Question
>  
>  
>  
> So far I have tested this on a Juniper ERX and it simply ignores the Cisco attributes, which was what I’m hoping for.
>  
>  
> It has to according to RFC 2865, if it doesn't open a support call with Juniper.
>  
> I plan to float some Juniper attributes towards some Cisco gear at some point to see how it handles it.  Anyone have much practical experience with this?  Is it expected to always ignore additional VSA’s or is it a ‘crap shoot’ depending on the vendor?
>  
> Stick VSAs from as many different vendors as you want in the Reply. The NAS *MUST* ignore attributes that it can't process, it's one of the fundamentals of the RADIUS protocol.
> 
> -Arran
>  
>  
> Arran Cudbard-Bell
> a.cudbardb at freeradius.org
> 
> Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
>  
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Arran Cudbard-Bell
a.cudbardb at freeradius.org

Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120130/bd27b0c3/attachment.html>

More information about the Freeradius-Users mailing list