Switching

We have a working Windows 2012R2 NPS server running our wireless network at the moment and I want to add the juniper devices to it.  EX4200 and EX2200 mostly.  I have the following config changes successfully setup:

set system authentication-order [ radius password ]
set system radius-server 10.10.10.1 secret "XXXXXXXXXXxxxxxxxxXXXXXXXXXXX"
set system radius-server 10.10.10.1 timeout 3
set system radius-server 10.10.10.1 retry 3
set system radius-server 10.10.10.1 source-address 10.3.0.1
set system radius-options password-protocol mschap-v2
set system services ssh

set system login user SU class super-user
set system login user SU full-name "Default RADUIS admin access template"
set system login user OP class operator
set system login user OP full-name "Default RADUIS operater access template"
set system login user RO class read-only
set system login user RO full-name "Default RADUIS read-only access template"

I have setup the clients, connection request, and network policies largely based on info from:

https://www.27partners.com/2012/08/linking-junos-authentication-to-active-directory-using-radius/

http://cooperlees.com/blog/?p=419

I have had Juniper support remoted in on three seperate occasions and it seems I have them stumped at this point.  Default log messages is as follows:

sshd[2120]: rad_send_request: Invalid RADIUS response received
sshd: SSHD_LOGIN_FAILED: Login failed for user 'twinkie' from host '10.10.100.1'
sshd[2120]: Failed password for twinkie from 10.10.100.1 port 50402 ssh2
sshd[2120]: rad_send_request: Invalid RADIUS response received

But If I watch the traffic on theoutbound interface I get the following:

10:56:00.522837 Out IP 10.3.0.1.50799 > 10.10.10.1.1812: RADIUS, Access Request (1), id: 0x60 length: 147
10:56:00.530532 In IP 10.10.10.1.1812 > 10.3.0.1.50799: RADIUS, Access Accept (2), id: 0x60 length: 268
10:56:03.725552 Out IP 10.3.0.1.52820 > 10.10.10.1.1812: RADIUS, Access Request (1), id: 0x68 length: 147
10:56:03.733727 In IP 10.10.10.1.1812 > 10.3.0.1.52820: RADIUS, Access Accept (2), id: 0x68 length: 268
10:56:11.915495 Out IP 10.3.0.1.56512 > 10.10.10.1.1812: RADIUS, Access Request (1), id: 0xae length: 147
10:56:11.923945 In IP 10.10.10.1.1812 > 10.3.0.1.56512: RADIUS, Access Accept (2), id: 0xae length: 268

Logs in the Radius server show full-access with successful login.  PIng tests between all is good and no firewall/filters anywhere in this setup.  We checked and triple checked the vendor code in the Radius setup.  No joy.

Basically, from what I can tell at this point, everything is working but the switch is waiting for 'something' from the Windows Server and not getting it.  Or not understanding it.  Does anyone have a working Windows 2012R2 setup?  I would like to compare the setup if possible.

Thanks,

Todd

1. Select “Vendor Specific” under the RADIUS Attributes
2.Click Add, change the Vendor dropdown to “Custom” and click “Vendor-Specific” from the attributes 


1.Click “Add”, then “Add” on the “Attribute Information” dialog
2.Select “Enter Vendor Code” from the “Specify network access server vendor” section and enter the Juniper vendor code “2636”
3.Select “Yes. It conforms” to specify that the attribute conforms to the RADIUS RFC 

1.Click “Configure Attribute” and set the “Vendor-assigned attribute number” to “1”, which represents “Juniper-Local-User-Name”
2.Set the “Attribute format” to “String”
3.Set the “Attribute value” to “SU”. This is the local username passed to JunOS

Blogs that you are specifying are correct. Did you create the "Juniper-Local-User-Name" attribute for accounts in RADIUS like describe above?

Yes, went throught that several times deleting and re-creating with support.  No luck

Here is a run down of the server setup at the moment.

RADIUS Clients and Servers:
Radius Clients:
New Radius Client
Enable this RADIUS client "checked"
Name and Address
Friendly Name = NET-Switch1
Address = 10.3.0.1
Shared Secret
Manual = XXXXXXXXXXxxxxxxxxXXXXXXXXXXX
Advanced Tab
Vendor Name - RADIUS Standard
Nothing else checked

Policies:
Connection Request Policies:
JUNOS-Client
Overview Tab
Policy State - checked "Policy Enabled"
Type of network access server = Unspecified
Conditions Tab
Client Friendly Name = NET-*
Settings Tab
Everything default (blank basically)

Network Policies:
JUNOS-SuperUser
Overview Tab
Policy State - checked "Policy Enabled"
Access Permission - Grant Access / Ignore user account dial-up 'checked'
Network connection method - Type of network 'Unspecified'
Conditions Tab
Client Friendly Name = NET-*
User Groups = DOMAINNAME\NETWORK-SUPERUSER
Network connection method - Type of network 'Unspecified'
Constraints Tab
Authentication Methods - only MS-CHAP-v2 checked
Everything else blank
Settings Tab
Radius Attrib / Standard - blank
Radius Attrib / Vendor Specific
Vendor Code: 2636
yes it conforms
Vendor assigend attrib number: 1
Attribute format: string
Attribute value: SU

Encryption
Unchecked everything except "Strongest encryption (MPPE 128-bit)

Just did some additional testing and it turns out that it is working on EX4200 and EX3200 models, but not on EX2200 series.  Is that a known thing that I missed?

I'd suggest checking your radius secrets.   We use exactly the same configuration on SRX100/220/55/1400/1500s, EX2200/4200/4300's and the only differences in NPS are the association of client-friendly-names to NPS policies...   I'd suggest looking at the NPS logs and compare a working auth to one that fails.  

HI,

I have one old document with Windows 2008. Might be it helps.

Thanks

Partha

Attachment(s)

Do1x_Complete_Doc.docx   344 KB 1 version