Switching

last person joined: yesterday 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  radius auth error on 14.1X53-D10.1

    Posted 11-12-2014 07:22

    Hello everyone,

     

    We are having some issues with radius authentication on a virtual-chassis of EX4550 since we upgraded it to version 14.X53-D10.1.

     

    Radius auth has been working without any problems in the last months, but since the upgrade everytime we try to acces the switch, radius auth is not working (and it then asks for the local password which is fine).

     

    We do have a counter on radius packets and it seems like it's not increasing at all.

     

    Some errors appear in logs such as :

     

    Nov 12 10:19:21  SD-SWIB2-01 sshd[14125]: rad_config: /var/etc/pam_radius.conf:2: missing shared secret
    Nov 12 10:19:21  SD-SWIB2-01 sshd[14125]: detected authentication server problem

     

    Does any of you have experienced such issues ? We have tried deleting radius configurations and reapplying it, we also changed the password on the server side, but its still not working.

     

    Best Regards,



  • 2.  RE: radius auth error on 14.1X53-D10.1

     
    Posted 11-14-2014 06:06

    Not sure why this is being related to sshd. Do you see the packets going out towards Radius server? Just to see if there is any malformed packets or if they are sent at all.

     

    This would need replication to see if others can see the problem.

     

    Did you open a JTAC case?

     

     

     

    =====

    If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.



  • 3.  RE: radius auth error on 14.1X53-D10.1

    Posted 11-14-2014 08:08

    The fact that it is related to ssh might be because it happens when we login via ssh (and then it ask for credential via radius).

     

    No packets or anything is sent to the RADIUS servers, it seems like it is simply dropped.

     

    No case is opened, but we might eventually open one for this (not high priority atm).

     

    Vincent.



  • 4.  RE: radius auth error on 14.1X53-D10.1

    Posted 01-16-2015 09:08

    We're seeing the same thing on our EX4200 and mixed virtual-chassis (EX4200 / EX4550) switches, and opened a JTAC case for it.

     

    In looking at the contents of /var/etc/pam_radius.conf between a working (SRX240H2) device and the non-working switches, there's a difference in the content of pam_radius.conf.

     

    Working device (all on one line):

     

    192.168.1.1|1812  "sharedSecret"  3  3  192.168.5.1  mschap-v2

     

    Non-working device:

     

    192.168.1.1|1812  "sharedSecret"  3  3  192.168.5.1 

    mschap-v2

     

    There is a carriage return / new line between the source-address and the mschap-v2 statement in the broken file, but NO new line in the non-broken file.

     

    We're still waiting for an answer from JTAC on how to resolve the problem...



  • 5.  RE: radius auth error on 14.1X53-D10.1
    Best Answer

    Posted 02-03-2015 23:49

    In the end, the problem was apparently "known" by JTAC but the PR was private.

     

    The resolution for us was to upgrade the switches to the 14.3X53-D15.2 release.  Same config, that one works correctly.



  • 6.  RE: radius auth error on 14.1X53-D10.1

    Posted 02-04-2015 06:07

    Thanks for the update, greatly appreciated !

     

    We managed to resolve this in downgrading to 13.2 also.

     

    Best Regards !