Juniper CoA mirror attributes
Nathan Ward
lists+freeradius at daork.net
Tue Sep 3 08:35:34 CEST 2019
> On 3/09/2019, at 6:28 PM, Bjørn Mork <bjorn at mork.no> wrote:
>
> Nathan Ward <lists+freeradius at daork.net> writes:
>
>> Working with some colleagues, we have found a breaking change in behaviour between (believe it or not) 2.2.x and 3.0.x for the Juniper mirror attributes, below:
>> ATTRIBUTE ERX-LI-Action 58 integer encrypt=2
>> ATTRIBUTE ERX-Med-Dev-Handle 59 octets encrypt=2
>> ATTRIBUTE ERX-Med-Ip-Address 60 ipaddr encrypt=2
>> ATTRIBUTE ERX-Med-Port-Number 61 integer encrypt=2
>>
>> The make_tunnel_password function sets a tag of 00 now for these, where in 2.2.9 it does not. Juniper routers implementing this expect a salt+password, but not tag.
>>
>> These attributes are encoded correctly in an Access-Accept, but not in a CoA.
>
> Yes, we found the same issue when we finally migrated to 3.0. It's
> fixed by commit c76bedd797fe ("fix untagged tunnel encrypted attributes
> in CoA requests"), which is in 3.0.19.
Oh boy, I pulled from my fork, not upstream, so didn’t have the latest code.
Sorry for the noise !
--
Nathan Ward
More information about the Freeradius-Users
mailing list