FreeRADIUS fails to include attributes in response to a Juniper switch

White, Daniel E. (GSFC-770.0)[AEGIS] daniel.e.white at nasa.gov
Fri Aug 12 11:30:43 UTC 2022 

On Aug 11, 2022, at 9:27 AM, White, Daniel E. (GSFC-770.0)[AEGIS] via Freeradius-Users <freeradius-users at lists.freeradius.org<mailto:freeradius-users at lists.freeradius.org>> wrote:
I tried commenting it out.
Same failure.

  I suggest reading the documentation instead of trying random things.  And paying attention to what you're doing.  Your "users" file entries are mostly wrong.

# DEFAULT Auth-Type := ntlm_auth

bobb Cleartext-Password := "hello"

  Typo in "bobb".  This doesn't affect anything, but it's still a typo.

Not a typo.  I used a different name.

DEFAULT LDAP-Group == "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"

  This matches the LDAP group, and then... does nothing.  See the documentation for the "users" file, and look for reply attributes.

Looking at the man page for users, I now see what you are referring to.

  i.e. Why doesn't it send any reply attributes when I don't put reply attributes in the users file?"

  That question answers itself.

  So... put reply attributes here.  As done in the other examples.  As the documentation says.

I am following what was previously done on Cistron RADIUS

DEFAULT Framed-Protocol == PPP
       Framed-Protocol = PPP,
       Framed-Compression = Van-Jacobson-TCP-IP

  Old and not necessary.  Delete it.

It is in the default file from  freeradius.x86_64               3.0.20-12.module+el8.6.0+13617+542eca26                @rhel-8-for-x86_64-appstream-rpms

DEFAULT Hint == "CSLIP"
       Framed-Protocol = SLIP,
       Framed-Compression = Van-Jacobson-TCP-IP

  Old and not necessary.  Delete it.

It is in the default file from  freeradius.x86_64               3.0.20-12.module+el8.6.0+13617+542eca26                @rhel-8-for-x86_64-appstream-rpms

DEFAULT Hint == "SLIP"
       Framed-Protocol = SLIP

  Old and not necessary.  Delete it.

It is in the default file from  freeradius.x86_64               3.0.20-12.module+el8.6.0+13617+542eca26                @rhel-8-for-x86_64-appstream-rpms

DEFAULT Group-Name = "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
       Juniper-Local-User-Name = "remote-nocengr",
       Service-Type = Login-User,
       Fall-Through = No

  Why "Group-Name", and not "LDAP-Group"?

DEFAULT Group = "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
       Juniper-Local-User-Name = "remote-nocengr",
       Service-Type = Login-User,
       Fall-Through = Yes

  Why "Group", and not "LDAP-Group"?

  The documentation makes it clear that "Group" and "Group-Name" is for unix group checking.

  And the main difference between the last two entires is that one has "Fall-Through = yes", and the other has "Fall-Through = no".

  You're randomly using "LDAP-Group", "Group", and "Group-Name" as synonyms.  They're not.  You're randomly adding reply attributes to some users file entries, and then not to others.

Please be more specific as to “the documentation”.  I found “LDAP-Group", "Group", and "Group-Name" referenced in dictionary.freeradius.internal but without any  explanation.

This looks like you're just trying a bunch of things by mashing at the keyboard, and not paying attention to details.  It helps rather a lot to read the docs, to pay attention to details, and to take a careful approach to making changes.

Where is the documentation about adding VSA’s to the RADIUS response, please ?

More information about the Freeradius-Users mailing list