RE: [j-nsp] Funk RADIUS authorization

From: Stephen Gill (gillsr@yahoo.com)
Date: Mon Nov 05 2001 - 21:45:07 EST

Next message: Manoj Leelanivas: "Re: [j-nsp] clearing bgp statistics"
Previous message: Mitch Parent: "[j-nsp] FW: [j-nsp] Funk RADIUS authorization"
In reply to: Stephen Gill: "[j-nsp] Funk RADIUS authorization"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

Functionality seems to have changed from Funk Steel-Belted RADIUS 2.27
to 3.0 in how the "service-type:authentication-only" attribute is
handled. Version 2.27 works fine even though this attribute is sent
from the Juniper router, whereas version 3.0 does not (it does not send
back ANY attributes).

Should this attribute in a RADIUS request packet cause a RADIUS server
to ignore the sending of subsequent attributes in a return message? I
would think that the vendor attributes would be considered authorization
information and thus not be returned, since that was specifically
requested.

-- steve

> -----Original Message-----
> From: Stephen Gill [mailto:gillsr@yahoo.com]
> Sent: Monday, November 05, 2001 5:30 PM
> To: 'puck'
> Subject: [j-nsp] Funk RADIUS authorization
>
> All,
> I have come across an interoperability issue (it seems) between
Juniper
> routers and Funk Steel-Belted RADIUS. When attempting to
authenticate
> from the router (JUNOS 5.0R2.4), only authentication functions
properly
> and the Funk server sends an accept packet to the client w/o
attributes.
> None of the three vendor specific attributes are returned to the
client,
> including: Juniper-Allow-Commands, Juniper-Deny-Commands, and
> Juniper-Local-User-Name. A sniffer trace reveals that the request
that
> originates from JUNOS includes a "service-type" attribute with a value
> of 8 (authenticate-only).
>
> According to RFC2138, section 5.6, this means:
>
> Authenticate Only: Only Authentication is requested, and no
> authorization information needs to be returned in the Access-Accept
> (typically used by proxy servers rather than the NAS itself).
> [http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2138.html#sec-5.6]
>
> Now, the question is, shouldn't the Juniper vendor specific RADIUS
> attributes be treated as authorization information, and if so,
shouldn't
> the Juniper router be sending a request with a different
"service-type"?
>
>
http://www.juniper.net/techpubs/software/junos50/swconfig50-getting-star
> ted/html/sys-mgmt-authentication2.html
>
> Comments?
> -- steve
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Next message: Manoj Leelanivas: "Re: [j-nsp] clearing bgp statistics"
Previous message: Mitch Parent: "[j-nsp] FW: [j-nsp] Funk RADIUS authorization"
In reply to: Stephen Gill: "[j-nsp] Funk RADIUS authorization"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:37 EDT