FreeRADIUS fails to include attributes in response to a Juniper switch
Matthew Newton
mcn at freeradius.org
Thu Aug 11 13:14:44 UTC 2022
On 11/08/2022 13:23, White, Daniel E. (GSFC-770.0)[AEGIS] via
Freeradius-Users wrote:
> The necessary attribute, Juniper-Local-User-Name, is specified in the users file, but it is not included in the response from FR to the device.
> Is this a vendor-specific attribute or VSA ?
Yes. See dictionary.juniper
> DEFAULT LDAP-Group == "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
This needs "Fall-Through = Yes" (as other entries), otherwise this line
matches and processing stops.
Or possibly better to put the replies after this line rather than going
through a load of DEFAULT lines - it depends on what you're checking in
LDAP.
I seem to recall that if one line matches the attributes won't be added
until after the files modules is complete, so you can't use those
additions as checks on other lines. If that's the case then call ldap
first, then call files separately afterwards, rather than depending on
LDAP-Group to do the lookup.
--
Matthew
More information about the Freeradius-Users
mailing list