SRX

Hi All,

Is it possible to use radius authentication to connect to the secondary SRX node of a cluster?  I am afraid the subsystem for this may not be running on the backup node.

I know I can just log in as root or just log into the primary and hop across.  Just curious if I can go directly using my Radius creds.

Thanks!

You configured the cluster each with it's own management interface?

(fxp interface configured in group hierarchy) and it's not using radius?

If configured correctly it will auth against your radius.

Yes both cluster members have a properly configured fxp interface connected to an OOB mgmt network that has access to the radius server.

When I connect to the backup node it can ping the radius server so IP connectivity is there.

When i look at the radius server i do not see any requests comming in.  This is why I thought maybe this was not supported.

Is your radius server on your FXP/management network or part of one of your other reth networks?

Try running a:

>monitor traffic interface <egressint>.0 matching "host <radius ip>"

While your trying to log into the backup SRX to see if you see anything.

The Radius server is directly accessible and is routed out the fxp0 to the out of band management network.  The radius server works fine on the primary node just not the secondary node.  As stated before I can ping it from the secondary node so i know that access is there.

I am not sure you monitory traffic is a good test since i dont see the traffic on the primary node which is known to work.

  Are you 100% logging into the backup node with Radius is supported?  Do you have it working in your environment?

Thanks for the help

Also just to add I get the following error in my messages log of my backup node when I try to log in using Radius to it.

10.x.x.x is the IP of my Radius Server (Edit for privacy)

Jan 7 12:46:23 MY-FW-NODEB sshd[41069]: sendmsg to 10.x.x.x(10.x.x.x).1812 failed: Can't assign requested address
Jan 7 12:46:23 MY-FW-NODEB sshd[41069]: sendpkt to 10.x.x.x(10.x.x.x).1812 failed: error: Can't assign requested address
Jan 7 12:46:23 MY-FW-NODEB sshd[41069]: sendmsg to 10.x.x.x(10.x.x.x).1812 failed: Can't assign requested address

Keep in mind I can ping 10.x.x.x,  this just seems like the system does not support this.

Unfortunately I don't, I only own a standalone and production environments I work on do not use radius (they should be). However, I asked about the management interface because it could be a specific problem with respect to the special interface fxp0, there are many limitations and generally should only use it to SSH. I'm assuming this is supported I don't know for certain, but I don't see why it wouldn't be.

Check out this sample config from someone's post:

http://forums.juniper.net/jnet/attachments/jnet/srx/8389/1/srx220+radius+shrew-dynvpn.pdf

Note how the radius server is not part of the management network, and how it is configured at the group level, you could try this as well to get both nodes to use radius (if you don't have it configured that way already)

As a test, I would configure radius for a nonmanagement interface IP Address. Just configure the radius server to be a nexthop ip address on one of your reth networks that you're routing too, then use the monitor interface traffic to see if it tries to auth against radius when you log into the backup node, this as an easy alternative test to re-IP'ing your radius server since we already know it will authenticate fine if it actually auth's against it (make sure you use commit confirmed or have console access). I suspect to get this to work you may need to either apply configuration at the group level or use a non-management interface to communicate with your radius server, or both. If this works it is possible to attach a reth interface to your management network in addition to your fxp, but you will need to isolate your management traffic with a routing-instance to do it. 

Let me know if that makes sense.

Another thing I would try is just IP'ing a physical interface on the backup node, not a reth interface, and not the fxp0, and seeing if the physical interface will use your radius, in other words you could move your management to two physical interfaces on each node and put them in zone mgmt and allow SSH on it. You may need to move everything off the fxp0 for this to work.

My Juniper SE helped me to find the solution to this problem.

You simply need to remove the global radius configuration and apply it to each node in the group stanza.  Doing this will allow each node to send unique radius requests.