Juniper CoA mirror attributes

Bjørn Mork bjorn at
Tue Sep 3 08:28:57 CEST 2019

Nathan Ward <lists+freeradius at> writes:

> Working with some colleagues, we have found a breaking change in behaviour between (believe it or not) 2.2.x and 3.0.x for the Juniper mirror attributes, below:
> ATTRIBUTE       ERX-LI-Action                           58      integer encrypt=2
> ATTRIBUTE       ERX-Med-Dev-Handle                      59      octets  encrypt=2
> ATTRIBUTE       ERX-Med-Ip-Address                      60      ipaddr  encrypt=2
> ATTRIBUTE       ERX-Med-Port-Number                     61      integer encrypt=2
> The make_tunnel_password function sets a tag of 00 now for these, where in 2.2.9 it does not. Juniper routers implementing this expect a salt+password, but not tag.
> These attributes are encoded correctly in an Access-Accept, but not in a CoA.

Yes, we found the same issue when we finally migrated to 3.0.   It's
fixed by commit c76bedd797fe ("fix untagged tunnel encrypted attributes
in CoA requests"), which is in 3.0.19.


More information about the Freeradius-Users mailing list