Juniper CoA mirror attributes

Bjørn Mork bjorn at mork.no
Tue Sep 3 09:41:02 CEST 2019


Nathan Ward <lists+freeradius at daork.net> writes:
>> On 3/09/2019, at 6:28 PM, Bjørn Mork <bjorn at mork.no> wrote:
>> 
>> Nathan Ward <lists+freeradius at daork.net> writes:
>> 
>>> Working with some colleagues, we have found a breaking change in behaviour between (believe it or not) 2.2.x and 3.0.x for the Juniper mirror attributes, below:
>>> ATTRIBUTE       ERX-LI-Action                           58      integer encrypt=2
>>> ATTRIBUTE       ERX-Med-Dev-Handle                      59      octets  encrypt=2
>>> ATTRIBUTE       ERX-Med-Ip-Address                      60      ipaddr  encrypt=2
>>> ATTRIBUTE       ERX-Med-Port-Number                     61      integer encrypt=2
>>> 
>>> The make_tunnel_password function sets a tag of 00 now for these, where in 2.2.9 it does not. Juniper routers implementing this expect a salt+password, but not tag.
>>> 
>>> These attributes are encoded correctly in an Access-Accept, but not in a CoA.
>> 
>> Yes, we found the same issue when we finally migrated to 3.0.   It's
>> fixed by commit c76bedd797fe ("fix untagged tunnel encrypted attributes
>> in CoA requests"), which is in 3.0.19.
>
> Oh boy, I pulled from my fork, not upstream, so didn’t have the latest code.
>
> Sorry for the noise !

To be honest, I am very happy to see that we are not the only ones
depending on this feature combo.  I was a little worried there :-)


Bjørn



More information about the Freeradius-Users mailing list