Correct way to deal with an 'incorrect' dictionary shipped by default
Coy Hile (BLOOMBERG/ 919 3RD A)
chile1 at bloomberg.net
Thu Feb 20 12:51:03 UTC 2025
Hi,
Recently (well, in the last year and a half or so) we got bit by FreeRADIUS shipping a 'dictinary.infinera' that's incorrect. Looking at the file, we see it's for vendor ID 8708 which according to IANA is "Lumentis AB". https://github.com/FreeRADIUS/freeradius-server/blob/master/share/dictionary/radius/dictionary.infinera
The actual Infinera dictionary (as given to our network team by the vendor) contains this data by contrast:
# -*- text -*-
# Dictiionary for Infinera
#
#
VENDOR Infinera 21296
BEGIN-VENDOR Infinera
ATTRIBUTE Infinera-User-Priv-SA 1 integer
ATTRIBUTE Infinera-User-Priv-NA 2 integer
ATTRIBUTE Infinera-User-Priv-NE 3 integer
ATTRIBUTE Infinera-User-Priv-PR 4 integer
ATTRIBUTE Infinera-User-Priv-TT 5 integer
ATTRIBUTE Infinera-User-Priv-MA 6 integer
ATTRIBUTE Infinera-User-Priv-RA 7 integer
ATTRIBUTE Infinera-User-Priv-EA 8 integer
ATTRIBUTE Infinera-User-SessionTimeout 17 integer
ATTRIBUTE Infinera-User-LockedOut 18 integer
ATTRIBUTE Infinera-User-CanUseResSession 19 integer
ATTRIBUTE Infinera-User-MgtType-EMS 33 integer
ATTRIBUTE Infinera-User-MgtType-GNM 34 integer
ATTRIBUTE Infinera-User-MgtType-TL1 35 integer
ATTRIBUTE Infinera-User-MgtType-CLI 36 integer
ATTRIBUTE Infinera-User-MgtType-NETCONF 37 integer
ATTRIBUTE Infinera-Rsvd-Str-Attribute1 240 string
ATTRIBUTE Infinera-Rsvd-Str-Attribute2 241 string
ATTRIBUTE Infinera-Rsvd-Int-Attribute1 249 integer
ATTRIBUTE Infinera-Rsvd-Int-Attribute2 250 integer
VALUE Infinera-User-Priv-NE NE-NONPRIVILEGED 0
VALUE Infinera-User-Priv-NE NE-PRIVILEGED 1
VALUE Infinera-User-Priv-PR PR-NONPRIVILEGED 0
VALUE Infinera-User-Priv-PR PR-PRIVILEGED 1
VALUE Infinera-User-Priv-TT TT-NONPRIVILEGED 0
VALUE Infinera-User-Priv-TT TT-PRIVILEGED 1
VALUE Infinera-User-Priv-MA MA-NONPRIVILEGED 0
VALUE Infinera-User-Priv-MA MA-PRIVILEGED 1
VALUE Infinera-User-Priv-RA RA-NONPRIVILEGED 0
VALUE Infinera-User-Priv-RA RA-PRIVILEGED 1
VALUE Infinera-User-Priv-EA EA-NONPRIVILEGED 0
VALUE Infinera-User-Priv-EA EA-PRIVILEGED 1
VALUE Infinera-User-CanUseResSession CANNOT-USE-RES-SESSION 0
VALUE Infinera-User-CanUseResSession CAN-USE-RES-SESSION 1
VALUE Infinera-User-MgmtType-EMS MGMTTYPE-EMS-DISALLOWED 0
VALUE Infinera-User-MgmtType-EMS MGMTTYPE-EMS-ALLOWED 1
VALUE Infinera-User-MgmtType-GNM MGMTTYPE-GNM-DISALLOWED 0
VALUE Infinera-User-MgmtType-GNM MGMTTYPE-GNM-ALLOWED 1
VALUE Infinera-User-MgmtType-TL1 MGMTTYPE-TL1-DISALLOWED 0
VALUE Infinera-User-MgmtType-TL1 MGMTTYPE-TL1-ALLOWED 1
VALUE Infinera-User-MgmtType-CLI MGMTTYPE-CLI-DISALLOWED 0
VALUE Infinera-User-MgmtType-CLI MGMTTYPE-CLI-ALLOWED 1
VALUE Infinera-User-MgmtType-NETCONF MGMTTYPE-NETCONF-DISALLOWED 0
VALUE Infinera-User-MgmtType-NETCONF MGMTTYPE-NETCONF-ALLOWED 1
END-VENDOR Infinera
That vendor ID according to IANA is actually "Infinera". I've managed to work-around this by putting a hack in our RADIUS dictionary installation workflow to remove the shipped dictionary.infinera file from the shipped dictionary file, but that seems like a hack at bes. It means that someone from my team has to remember to run that workflow every time a box gets touched by patching automation since an updated FreeRADIUS RPM showing up from RedHat--or soon from your official packages--will overwrite our working copy.
Is there a better way we should handle this?
Thanks,
-Coy
More information about the Freeradius-Users
mailing list