Juniper-Local-User-Name reply attribute

David Aldwinckle daldwinckle at uwaterloo.ca
Mon Oct 31 16:35:15 CET 2016


Hi Alan,

>> Unfortunately, I can't trick my Juniper SRX device into accepting Cisco-AVPair attributes.
> 
>  That's by design.  Vendor-specific attributes are specific to each vendor.

Heh. That was a joke. Not funny I guess.

>  What does the full debug output say?  We can make guesses from zero information.   Which is why we always ask for the debug output.

The full debug contains a lot of sensitive info, which is why I only send it as a last resort, and after heavy sanitization. I understand that this can be frustrating for you and others who help out on the list. My apologies.

I fixed my problem by modifying the file mods-config/attr_filter/post-proxy and adding the line:

Juniper-Local-User-Name =* ANY

Regards,
Dave


> On Oct 27, 2016, at 3:21 PM, Alan DeKok <aland at deployingradius.com> wrote:
> 
> On Oct 27, 2016, at 3:13 PM, Dave Aldwinckle <daldwinc at uwaterloo.ca> wrote:
>> If I change the unlang to the following, the Juniper-Local-User-Name does not appear in the Access-Accept. The rest of the debug output for entering the if statement looks identical.
>> 
>>       if (&myAttribute == "srx") {
>>               update reply {
>>                       Juniper-Local-User-Name := "limited"
>>                       Service-Type := Login-User
>>               }
>>       }
>> 
>> I have confirmed that the proper dictionary exists on the server:
> 
>  Ok...
> 
>> Any ideas?
> 
>  What does the full debug output say?  We can make guesses from zero information.   Which is why we always ask for the debug output.
> 
>> Unfortunately, I can't trick my Juniper SRX device into accepting Cisco-AVPair attributes.
> 
>  That's by design.  Vendor-specific attributes are specific to each vendor.
> 
>  Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list