[EXTERNAL] Re: FreeRADIUS fails to include attributes in response to a Juniper switch
White, Daniel E. (GSFC-770.0)[AEGIS]
daniel.e.white at nasa.gov
Thu Aug 11 13:27:07 UTC 2022
I tried commenting it out.
Same failure.
I tried setting the Fall-Through to Yes on the DEFAULT Group-Name = "CN=engineer… line
Same failure.
The user trying to ssh in is a member of the group.
Should I be doing this in the users file or somewhere else ?
There is no documentation that I can find about adding VSA’s to the response.
From: Freeradius-Users <freeradius-users-bounces+daniel.e.white=nasa.gov at lists.freeradius.org> on behalf of Matthew Newton <mcn at freeradius.org>
Reply-To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Date: Thursday, August 11, 2022 at 09:15
To: "freeradius-users at lists.freeradius.org" <freeradius-users at lists.freeradius.org>
Subject: [EXTERNAL] Re: FreeRADIUS fails to include attributes in response to a Juniper switch
On 11/08/2022 13:23, White, Daniel E. (GSFC-770.0)[AEGIS] via
Freeradius-Users wrote:
The necessary attribute, Juniper-Local-User-Name, is specified in the users file, but it is not included in the response from FR to the device.
Is this a vendor-specific attribute or VSA ?
Yes. See dictionary.juniper
DEFAULT LDAP-Group == "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
This needs "Fall-Through = Yes" (as other entries), otherwise this line
matches and processing stops.
Or possibly better to put the replies after this line rather than going
through a load of DEFAULT lines - it depends on what you're checking in
LDAP.
I seem to recall that if one line matches the attributes won't be added
until after the files modules is complete, so you can't use those
additions as checks on other lines. If that's the case then call ldap
first, then call files separately afterwards, rather than depending on
LDAP-Group to do the lookup.
--
Matthew
-
List info/subscribe/unsubscribe? See https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=05%7C01%7Cdaniel.e.white%40nasa.gov%7Ca798a7a3a82040aa8f6708da7b9b837e%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637958205110244205%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=H%2FjYRH1hG%2FykHbOd4HnOz7JlGbYhGK85p6Sk%2FwXvvbk%3D&reserved=0
More information about the Freeradius-Users
mailing list