All,
I have come across an interoperability issue (it seems) between Juniper
routers and Funk Steel-Belted RADIUS. When attempting to authenticate
from the router (JUNOS 5.0R2.4), only authentication functions properly
and the Funk server sends an accept packet to the client w/o attributes.
None of the three vendor specific attributes are returned to the client,
including: Juniper-Allow-Commands, Juniper-Deny-Commands, and
Juniper-Local-User-Name. A sniffer trace reveals that the request that
originates from JUNOS includes a "service-type" attribute with a value
of 8 (authenticate-only).
According to RFC2138, section 5.6, this means:
Authenticate Only: Only Authentication is requested, and no
authorization information needs to be returned in the Access-Accept
(typically used by proxy servers rather than the NAS itself).
[http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2138.html#sec-5.6]
Now, the question is, shouldn't the Juniper vendor specific RADIUS
attributes be treated as authorization information, and if so, shouldn't
the Juniper router be sending a request with a different "service-type"?
http://www.juniper.net/techpubs/software/junos50/swconfig50-getting-star
ted/html/sys-mgmt-authentication2.html
Comments?
-- steve
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:37 EDT