Stephen,
I have tested JUNOS 5.0R2.4 with Funk's Steel Belted Radius using the Juniper-Local-User-Name attribute and it worked fine. However, I have sniffed Juniper radius packets before and I have noticed that the service-type is authentication only.
-Mitch
-----Original Message-----
From: Stephen Gill [mailto:gillsr@yahoo.com]
Sent: Monday, November 05, 2001 5:30 PM
To: 'puck'
Subject: [j-nsp] Funk RADIUS authorization
All,
I have come across an interoperability issue (it seems) between Juniper routers and Funk Steel-Belted RADIUS. When attempting to authenticate from the router (JUNOS 5.0R2.4), only authentication functions properly and the Funk server sends an accept packet to the client w/o attributes. None of the three vendor specific attributes are returned to the client, including: Juniper-Allow-Commands, Juniper-Deny-Commands, and Juniper-Local-User-Name. A sniffer trace reveals that the request that originates from JUNOS includes a "service-type" attribute with a value of 8 (authenticate-only).
According to RFC2138, section 5.6, this means:
Authenticate Only: Only Authentication is requested, and no authorization information needs to be returned in the Access-Accept (typically used by proxy servers rather than the NAS itself). [http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2138.html#sec-5.6]
Now, the question is, shouldn't the Juniper vendor specific RADIUS attributes be treated as authorization information, and if so, shouldn't the Juniper router be sending a request with a different "service-type"?
http://www.juniper.net/techpubs/software/junos50/swconfig50-getting-star
ted/html/sys-mgmt-authentication2.html
Comments?
* steve
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:37 EDT