[j-nsp] Ascend-??? radius attributes on Juniper ERX

Goldschmidt, Bernd bernd.goldschmidt at siemens.com
Wed Mar 29 08:35:31 EST 2006 

Attached a trace.

Frame 78 is the response for user ascend3, which will _not_ work with the ERX.
Frame 230 is the response for user ascend2, which works fine with the ERX.

As you can see the ERX expect not the vendor specific attribute 26-x, he is expecting the attribute 242.

Does that help?

Gruß
Bernd.

#############################################################################
renke:/home/siemens # more ascend.txt
Frame 78 (103 bytes on wire, 103 bytes captured)
    Arrival Time: Apr  1, 2006 00:51:30.778418000
    Time delta from previous packet: 6.747703000 seconds
    Time relative to first packet: 6.747703000 seconds
    Frame Number: 78
    Packet Length: 103 bytes
    Capture Length: 103 bytes
Ethernet II, Src: 00:10:5a:f6:c9:61, Dst: 00:90:1a:41:8e:34
    Destination: 00:90:1a:41:8e:34 (Unispher_41:8e:34)
    Source: 00:10:5a:f6:c9:61 (3com_f6:c9:61)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.2.6 (192.168.2.6), Dst Addr: 192.168.2.4 (1
92.168.2.4)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 89
    Identification: 0x5714
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (0x11)
    Header checksum: 0x5e25 (correct)
    Source: 192.168.2.6 (192.168.2.6)
    Destination: 192.168.2.4 (192.168.2.4)
User Datagram Protocol, Src Port: radius (1812), Dst Port: mrt (50000)
    Source port: radius (1812)
    Destination port: mrt (50000)
    Length: 69
    Checksum: 0x9506 (correct)
Radius Protocol
    Code: Access Accept (2)
    Packet identifier: 0x19 (25)
    Length: 61
    Authenticator
    Attribute value pairs
        t:Vendor Specific(26) l:41, Vendor:Ascend(529)
            t:Ascend Data Filter(242) l:35, Value:697020696E2064726F702064737469
70203231372E38392E32392E3234372F3332

Frame 230 (96 bytes on wire, 96 bytes captured)
    Arrival Time: Apr  1, 2006 00:51:39.682985000
    Time delta from previous packet: 8.904567000 seconds
    Time relative to first packet: 15.652270000 seconds
    Frame Number: 230
    Packet Length: 96 bytes
    Capture Length: 96 bytes
Ethernet II, Src: 00:10:5a:f6:c9:61, Dst: 00:90:1a:41:8e:34
    Destination: 00:90:1a:41:8e:34 (Unispher_41:8e:34)
    Source: 00:10:5a:f6:c9:61 (3com_f6:c9:61)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.2.6 (192.168.2.6), Dst Addr: 192.168.2.4 (1
92.168.2.4)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 82
    Identification: 0x5734
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (0x11)
    Header checksum: 0x5e0c (correct)
    Source: 192.168.2.6 (192.168.2.6)
    Destination: 192.168.2.4 (192.168.2.4)
User Datagram Protocol, Src Port: radius (1812), Dst Port: mrt (50000)
    Source port: radius (1812)
    Destination port: mrt (50000)
    Length: 62
    Checksum: 0x5ec6 (correct)
Radius Protocol
    Code: Access Accept (2)
    Packet identifier: 0x1a (26)
    Length: 54
    Authenticator
    Attribute value pairs
        t:Unknown Type(242) l:34, Value:Unknown Value Type
renke:/home/siemens #
 

################################################################################
ascend2         Auth-Type := local, User-Password == "ascend"
                X-Ascend-Data-Filter = "ip in drop dstip 100.9.2.24/32"

ascend3         Auth-Type := local, User-Password == "ascend"
                Ascend-Data-Filter = "ip in drop dstip 100.9.2.24/32"


> -----Original Message-----
> From: Blaz Zupan [mailto:blaz at amis.net] 
> Sent: Wednesday, March 29, 2006 3:10 PM
> To: Goldschmidt, Bernd
> Cc: juniper-nsp at puck.nether.net
> Subject: RE: [j-nsp] Ascend-??? radius attributes on Juniper ERX
> 
> > the ERX expect the Ascend-Data-Filter in a special 
> attribute format (abinary).
> > If the format is incorrect, the ERX will ignore the 
> Attribute, see the test below.
> > We use a free-radius in our lab.
> 
> Thanks, but we use Radiator for our radius server that 
> automatically converts 
> the Ascend-Data-Filter from readable text to the unreadable 
> hex codes. And as 
> I said, the same radius profile works just fine with both a 
> Cisco BRAS and a 
> Ascend/Lucent Max dialup access server.
>

More information about the juniper-nsp mailing list