Juniper CoA mirror attributes
Bjørn Mork
bjorn at mork.no
Tue Sep 3 08:28:57 CEST 2019
Nathan Ward <lists+freeradius at daork.net> writes:
> Working with some colleagues, we have found a breaking change in behaviour between (believe it or not) 2.2.x and 3.0.x for the Juniper mirror attributes, below:
> ATTRIBUTE ERX-LI-Action 58 integer encrypt=2
> ATTRIBUTE ERX-Med-Dev-Handle 59 octets encrypt=2
> ATTRIBUTE ERX-Med-Ip-Address 60 ipaddr encrypt=2
> ATTRIBUTE ERX-Med-Port-Number 61 integer encrypt=2
>
> The make_tunnel_password function sets a tag of 00 now for these, where in 2.2.9 it does not. Juniper routers implementing this expect a salt+password, but not tag.
>
> These attributes are encoded correctly in an Access-Accept, but not in a CoA.
Yes, we found the same issue when we finally migrated to 3.0. It's
fixed by commit c76bedd797fe ("fix untagged tunnel encrypted attributes
in CoA requests"), which is in 3.0.19.
Bjørn
More information about the Freeradius-Users
mailing list