Security

The title pretty much sums it up. I have a device that has a NAS-Port-Type with the value 251658240. However, when creating a new service definition, I can only choose between predefined values (0 to 36). 

 

So, in my service definition, how can i filter for Radius:IETF:NAS-Port-Type EQUALS 251658240?

 

Please see the attached screenshots for further clarification!

 

Thanks

Tom

Sorry, but this is not possible. These are IETF standard attributes and what that vendor is using is not valid. You won't be able to use that in a service rule.

Sigh. Any other options? Ideas?

I guess my question would be, why do you need to filter on it?

I'm using radius auth for SSH-ing to the devices in question, and I authenticate IPSEC VPN Tunnels using Radius terminating on these devices.

The only difference in the request (SSH or IPSEC Tunnel) is whether NAS-Port-Type is present or not. If it is present, it most certainly is a Radius request for an IPSEC VPN user, but just to double check I wanted to check for the correct NAS-Port-Type (251658240).

 

If it's not possible at all I'll just stick with NAS-Port-Type IS PRESENT as a check condition.

I think that is your only option. I would also reach out to said vendor and ask why they're not using standard NAS-Port-Type values and if you can change it.

The vendor in question is Juniper. Don’t think i’ll be lucky, but i’ll give it a try anyways

What could work is to edit the RADIUS dictionary and add in the value that you want:

- Go to Administration » Dictionaries » RADIUS

- Find the IETF dictionary, and open it

- Export

- Open the XML file in a text editor

- Find the NAS-Port-Type, and add your attribute:

 

... begin of file removed from this exhibit...
        <Attribute profile="in out" type="Unsigned32" name="NAS-Port-Type" id="61">
          <ValidValues>
            <ValidValue enumOrdinal="0" value="Async"/>
            <ValidValue enumOrdinal="1" value="Sync"/>
... lines removed but leave lines in...
            <ValidValue enumOrdinal="35" value="xPON"/>
            <ValidValue enumOrdinal="36" value="Wireless-XGP"/>
            <ValidValue enumOrdinal="251658240" value="Juniper-VPN"/>
          </ValidValues>
        </Attribute>
... remainder removed but leave lines in...

- Add the entry with number and value that you want; leave the rest of the file untouched.

- Save

- Import

- And you can now select the attribute in the service rule:

Editing the IETF dictionary is not recommended.

@cappalli

why's that?

Works like a charm. Thanks!