Juniper CoA mirror attributes

Nathan Ward lists+freeradius at
Tue Sep 3 07:52:08 CEST 2019

> On 3/09/2019, at 5:49 PM, Nathan Ward <lists+freeradius at> wrote:
> Hi all,
> Working with some colleagues, we have found a breaking change in behaviour between (believe it or not) 2.2.x and 3.0.x for the Juniper mirror attributes, below:
> ATTRIBUTE       ERX-LI-Action                           58      integer encrypt=2
> ATTRIBUTE       ERX-Med-Dev-Handle                      59      octets  encrypt=2
> ATTRIBUTE       ERX-Med-Ip-Address                      60      ipaddr  encrypt=2
> ATTRIBUTE       ERX-Med-Port-Number                     61      integer encrypt=2
> The make_tunnel_password function sets a tag of 00 now for these, where in 2.2.9 it does not. Juniper routers implementing this expect a salt+password, but not tag.

Sorry, not make_tunnel_password, but where it’s called - vp2data_any. Around src/lib/radius.c:970.

> These attributes are encoded correctly in an Access-Accept, but not in a CoA.
> This looks to have been changed for both Access-Accept and CoA 10 years ago in c5aa669eeb6, and was fixed for Access-Accept in 5dcd6495fcd.
> I’d like to submit a patch to fix this, mirroring the functionality of Access-Accept only encoding a tag if has_tag is set in the dictionary, but, not sure if this will break things in other dictionaries… Is there a difference between tunnel-password encryption between CoA and Access-Accept, or, should we trust the dictionary for both here?
> --
> Nathan Ward

More information about the Freeradius-Users mailing list