Junos
Highlighted
Junos

EX4300 radius authentication not working

‎03-27-2020 12:39 PM

Hello guys

 

EX4300x3 VC

version 17.3R3-S4.2

 

Problem description:

Radius authentication is not working although in radius server wireshark log shows "Access-Accept"

 

Config on EX4300:

 

set groups global system authentication-order radius
set groups global system authentication-order password
set groups global system radius-server 192.168.199.50 secret 123456
set groups global system radius-server 192.168.199.50 timeout 5
set groups global system radius-server 192.168.199.50 retry 4
set groups global system radius-server 192.168.199.50 source-address 192.168.210.30
set groups global system login user remote full-name Radius_Server
set groups global system login user remote uid 2050
set groups global system login user remote class super-user
set apply-groups global

I configured radius traceoptions:

set system processes general-authentication-service traceoptions file radius
set system processes general-authentication-service traceoptions flag all

and here is the log (same repeated line):

Mar 27 22:21:58.924098 ../../../../../../src/junos/usr.sbin/authd/plugin/policy-control-jsrc/authd_jsrc_engine.cc:396: CONNECT FAIL CALLBACK
Mar 27 22:22:00.928018 ../../../../../../src/junos/usr.sbin/authd/plugin/policy-control-jsrc/authd_jsrc_engine.cc:396: CONNECT FAIL CALLBACK
Mar 27 22:22:02.930996 ../../../../../../src/junos/usr.sbin/authd/plugin/policy-control-jsrc/authd_jsrc_engine.cc:396: CONNECT FAIL CALLBACK
Mar 27 22:22:04.935001 ../../../../../../src/junos/usr.sbin/authd/plugin/policy-control-jsrc/authd_jsrc_engine.cc:396: CONNECT FAIL CALLBACK
Mar 27 22:22:06.937041 ../../../../../../src/junos/usr.sbin/authd/plugin/policy-control-jsrc/authd_jsrc_engine.cc:396: CONNECT FAIL CALLBACK
Mar 27 22:22:08.940007 ../../../../../../src/junos/usr.sbin/authd/plugin/policy-control-jsrc/authd_jsrc_engine.cc:396: CONNECT FAIL CALLBACK
Mar 27 22:22:10.943925 ../../../../../../src/junos/usr.sbin/authd/plugin/policy-control-jsrc/authd_jsrc_engine.cc:396: CONNECT FAIL CALLBACK
Mar 27 22:22:12.946970 ../../../../../../src/junos/usr.sbin/authd/plugin/policy-control-jsrc/authd_jsrc_engine.cc:396: CONNECT FAIL CALLBACK
Mar 27 22:22:14.952720 ../../../../../../src/junos/usr.sbin/authd/plugin/policy-control-jsrc/authd_jsrc_engine.cc:396: CONNECT FAIL CALLBACK
Mar 27 22:22:16.954865 ../../../../../../src/junos/usr.sbin/authd/plugin/policy-control-jsrc/authd_jsrc_engine.cc:396: CONNECT FAIL CALLBACK

not sure what is this ...

I searched the prsearch for a bug for didn't found anything ...

 

In another switch , EX4200VC , same configuration but running version 15.1R7.9 and different "source-address" , working fine.

"source-address" is not the problem because the radius clients configured for all the /24 subnet , and again , i can see "Access-Accept" message in the radius server.

 

Any advise

 

 

Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com
3 REPLIES 3
Highlighted
Junos

Re: EX4300 radius authentication not working

‎03-27-2020 07:05 PM

Hi Abed AL-R,

 

 Could you confirm if the Vendor-specific attribute on you Server Policy is set to 2636?

 

 Also, that the attribute is configured as String 1 and that the remote user is configured the same as on the server (you could also try without special characters and all lower case)?

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/user-access-radius-authentication...

 

If it helps clearing your concern, please mark as solved!

Highlighted
Junos

Re: EX4300 radius authentication not working

[ Edited ]
‎03-28-2020 05:24 AM

Hi

 

Yes I confirm.

Also this is the same conf on an existing ex4200vc and it is working fine there.

There server returns access accept , but for some reason the ex4300 is not moving forward ...

I tried also the test command , but not valid on this platform:

root@SUP_EX4300-Stack> test access radius-server 192.168.199.50 user abedb password <mypassword> secret $9$secretsecretsecret source-address 192.168.210.30    
error: command is not valid on the ex4300-24t

 

Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com

Attachments

Highlighted
Junos

Re: EX4300 radius authentication not working

[ Edited ]
‎03-28-2020 05:56 AM

OK ... problem solved.

Solution:

For some reason , when adding the command "source-address" , radius not working , although radius returning access-accept and the source address is correct.

I deleted that command and now radius is working fine.

 

This is weird , because on another switch we have (ex4200vc ver.15), it is working fine when changing the source address for outgoing radius packets.

And this is not network problem, because the address is correct and tested.

 

Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com
Feedback