Guys, I'm currently setting up Juniper E-Series devices to authenticate against FreeRadius using rlm_ldap (OpenLDAP). I currently have:
radiusReplyItem: ERX-Cli-Initial-Access-Level := "5" radiusReplyItem: ERX-Alternate-Cli-Access-Level := "15" radiusReplyItem: ERX-Cli-Allow-All-VR-Access := 1 in my schema to allow for access levels, etc. The entire schema is: dn: uid=homer, ou=people, dc=test, dc=net objectclass: person objectclass: radiusprofile objectclass: uidObject objectClass: inetOrgPerson objectClass: posixAccount objectClass: extensibleObject cn: Homer Simpson sn: Simpson loginShell: /bin/bash userpassword: {SSHA}GyUvGheeeWsR5Y/rofdfYtbDDdQAxbMP uidnumber: 2001 gidnumber: 20 homeDirectory: /home/homer uid: homer shadowLastChange: 10877 shadowMin: 0 shadowMax: 999999 shadowWarning: 7 shadowInactive: -1 shadowExpire: -1 shadowFlag: 0 radiusAuthType: LDAP radiusReplyItem: Juniper-Local-User-Name := tier1 radiusReplyItem: Cisco-AVPair := "shell:priv-lvl=15" radiusReplyItem: ERX-Cli-Initial-Access-Level := "5" radiusReplyItem: ERX-Alternate-Cli-Access-Level := "15" radiusReplyItem: ERX-Cli-Allow-All-VR-Access := 1 radiusprofileDN: uid=homer, ou=people, dc=test, dc=net However, I noticed in the dictionary.erx the following: # As a note on ERX broken-ness, If you don't send a Framed-IP-Address # in the Access-Accept packet, the ERX disconnects the user, and # sends an Accounting-Request packet with Acct-Status-Type = Stop # # It does NOT send a 'Start' packet, so this behaviour confuses the # heck out of most admins, who do everything right, but have the ERX # do stupid things. # # Do I need to add anything else to my LDAP schema/config files in order to get this to work? I'm not quite sure I understand what the caption from the dictionary.erx file is telling me. Thanks for any help... Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html