Screen OS

Last several days we have been trying to get a netscreen firewall SSG-140 running 6.1.r4 code to use the cisco acs for admin authentication. The Cisco ACS is running ver. 4.2.

We tried both radius and tacacs but neither is working.

Based on some of the debug, we can verify the shared secret is correct, the port number is correct (1645) also tried 1812 for radius.

The event log shows:

system warn 00518 Admin user test-rad has been rejected via the Radius server at nnn.nnn.nnn.nnn.

Unfortunately, the cisco acs is not much help when it comes to debug results.

firewall parameters are below.

set auth-server "Radius-NS" id 1
set auth-server "Radius-NS" server-name "Radius-test"
set auth-server "Radius-NS" account-type admin
set auth-server "Radius-NS" radius secret "ETn45MCAN2IOvksoXaCLUKoS1on8zhLZ/A=="
set auth-server "tacacs" id 2
set auth-server "tacacs" server-name "tacacs-test"
set auth-server "tacacs" account-type admin
set auth-server "tacacs" type tacacs
set auth-server "tacacs" tacacs secret "E/S+2g9UNe1eRNsyxvCQNnClkgneezrbAA=="
set auth-server "tacacs" tacacs port 1645
set admin auth server "tacacs"
set admin auth remote primary
set admin auth remote root

Any thoughts on what can be causing this?

We have tried various changes in the ACS to no avail.

We tried IETF, we loaded the .ini file for the juniper dictionary.

Nothing seems to matter

Take a look at this KB: http://kb.juniper.net/KB10191.

-Mike

Hello and thank you. We did see that kb. It did not make a difference.

This is a very perplexing problem. This is not rocket science. What we

are seeing is no response from the ACS server. Nothing in snoop.

All we see is the request from the firewall to the acs server.

Do anyone know How to make it in the Cisco ACS 5.1 cause it is completely diffrent from 4.2???

I have similar issue , but i can see on cisco acs server request is passed . 

On ACS server

Go to reports and activity-> try passed authentications or failed attempts (you should see some hit)

I get it in passed attempts but still netscreen log shows as below .

NS log..

2011-07-26 12:15:25 warn SSH: Password authentication failed for admin user 'X.X.X.X' at host. 10.1.5.103 2011-07-26 12:15:25 warn Admin user karampup has been rejected via the Radius server at 10.172.50.45. 2011-07-26 12:15:25 warn ADM: Local admin authentication failed for login name 'X.X.X.X': invalid login name

Cisco ACS log

07/26/2011 11:55:19 Authen OK sanyaolu Administrator .. X.X.X.X 10.1.5.199 (Default) .. .. .. .. .. .. .. .. Netscreen_Test_208  

Any suggestions guys.

folks

i'm also having an issue with tacacs admin authentication and acs 4.2 (applicance)

i logon using my root account

my root account gets authenticated and i see the 'vsys=root' and 'privilege=root' when i debug auth tacacs but i don't get root account privileges

when i run debug auth admin i don't see anything in the db stream

jtac are looking at it for me but no progress as yet

Hello I want to do this config EX4200 and SRX650 what will be difference this config