Guys,
I'm currently setting up Juniper E-Series devices to authenticate
against FreeRadius using rlm_ldap (OpenLDAP). I currently have:
radiusReplyItem: ERX-Cli-Initial-Access-Level := "5"
radiusReplyItem: ERX-Alternate-Cli-Access-Level := "15"
radiusReplyItem: ERX-Cli-Allow-All-VR-Access := 1
in my schema to allow for access levels, etc. The entire schema is:
dn: uid=homer, ou=people, dc=test, dc=net
objectclass: person
objectclass: radiusprofile
objectclass: uidObject
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: extensibleObject
cn: Homer Simpson
sn: Simpson
loginShell: /bin/bash
userpassword: {SSHA}GyUvGheeeWsR5Y/rofdfYtbDDdQAxbMP
uidnumber: 2001
gidnumber: 20
homeDirectory: /home/homer
uid: homer
shadowLastChange: 10877
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
radiusAuthType: LDAP
radiusReplyItem: Juniper-Local-User-Name := tier1
radiusReplyItem: Cisco-AVPair := "shell:priv-lvl=15"
radiusReplyItem: ERX-Cli-Initial-Access-Level := "5"
radiusReplyItem: ERX-Alternate-Cli-Access-Level := "15"
radiusReplyItem: ERX-Cli-Allow-All-VR-Access := 1
radiusprofileDN: uid=homer, ou=people, dc=test, dc=net
However, I noticed in the dictionary.erx the following:
# As a note on ERX broken-ness, If you don't send a Framed-IP-Address
# in the Access-Accept packet, the ERX disconnects the user, and
# sends an Accounting-Request packet with Acct-Status-Type = Stop
#
# It does NOT send a 'Start' packet, so this behaviour confuses the
# heck out of most admins, who do everything right, but have the ERX
# do stupid things.
#
#
Do I need to add anything else to my LDAP schema/config files in order
to get this to work? I'm not quite sure I understand what the caption
from the dictionary.erx file is telling me. Thanks for any help...
Robert
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
