[EXTERNAL] FreeRADIUS fails to include attributes in response to a Juniper switch

Alan DeKok aland at deployingradius.com
Thu Aug 11 13:45:47 UTC 2022 

On Aug 11, 2022, at 9:27 AM, White, Daniel E. (GSFC-770.0)[AEGIS] via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I tried commenting it out.
> Same failure.

  I suggest reading the documentation instead of trying random things.  And paying attention to what you're doing.  Your "users" file entries are mostly wrong.

# DEFAULT Auth-Type := ntlm_auth

bobb Cleartext-Password := "hello"

  Typo in "bobb".  This doesn't affect anything, but it's still a typo.

DEFAULT LDAP-Group == "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"

  This matches the LDAP group, and then... does nothing.  See the documentation for the "users" file, and look for reply attributes.

  i.e. Why doesn't it send any reply attributes when I don't put reply attributes in the users file?"

  That question answers itself.

  So... put reply attributes here.  As done in the other examples.  As the documentation says.

DEFAULT Framed-Protocol == PPP
       Framed-Protocol = PPP,
       Framed-Compression = Van-Jacobson-TCP-IP

  Old and not necessary.  Delete it.

DEFAULT Hint == "CSLIP"
       Framed-Protocol = SLIP,
       Framed-Compression = Van-Jacobson-TCP-IP

  Old and not necessary.  Delete it.

DEFAULT Hint == "SLIP"
       Framed-Protocol = SLIP

  Old and not necessary.  Delete it.

DEFAULT Group-Name = "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
       Juniper-Local-User-Name = "remote-nocengr",
       Service-Type = Login-User,
       Fall-Through = No

  Why "Group-Name", and not "LDAP-Group"?

DEFAULT Group = "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
       Juniper-Local-User-Name = "remote-nocengr",
       Service-Type = Login-User,
       Fall-Through = Yes

  Why "Group", and not "LDAP-Group"?

  The documentation makes it clear that "Group" and "Group-Name" is for unix group checking.

  And the main difference between the last two entires is that one has "Fall-Through = yes", and the other has "Fall-Through = no".

  You're randomly using "LDAP-Group", "Group", and "Group-Name" as synonyms.  They're not.  You're randomly adding reply attributes to some users file entries, and then not to others.

  This looks like you're just trying a bunch of things by mashing at the keyboard, and not paying attention to details.  It helps rather a lot to read the docs, to pay attention to details, and to take a careful approach to making changes.

  Alan DeKok.

More information about the Freeradius-Users mailing list