Junos
Highlighted
Junos

Junos 12.3R12-S13 brakes RADIUS CLI authentication

‎06-11-2019 04:44 PM

After upgrading some EX2200 and EX3300 from S12 to S13 I was able to login remotely only using local user account.
RADIUS CLI authentication does not work int S13.

[mylogin@unix ~]$ ssh my-ex2200
Password:
pam_unix: pam_sm_authenticate: UNIX authentication refused

My collegue made a diff of /etc/pam.conf and here is what he had found.
12.3R12-S12

root@my-ex2200:RE:0% cat /etc/pam.conf
su auth sufficient pam_rootok.so no_warn
su auth sufficient pam_self.so   no_warn
su auth requisite  pam_group.so  no_warn group=wheel fail_safe root_only
su auth required   pam_unix.so   try_first_pass
login   auth    sufficient      pam_radius.so conf=/var/etc/pam_radius.conf template_user=remote        try_first_pass no_warn
login   account sufficient      pam_radius.so conf=/var/etc/pam_radius.conf template_user=remote
login   password        required        pam_radius.so conf=/var/etc/pam_radius.conf template_user=remote

12.3R12-S13

root@my-ex2200:RE:0% cat /etc/pam.conf
su auth sufficient pam_rootok.so no_warn
su auth sufficient pam_self.so   no_warn
su auth requisite  pam_group.so  no_warn group=wheel fail_safe root_only
su auth required   pam_unix.so   try_first_pass
login   auth    required        pam_unix.so
login   session required        pam_permit.so
login   account required        pam_unix.so

After booting from backup partition back to 12.3R12-S12 everything worked right again.

 

4 REPLIES 4
Junos

Re: Junos 12.3R12-S13 brakes RADIUS CLI authentication

‎06-11-2019 08:52 PM
Hi,

>From the snippets shared of /etc/pam.conf from the two different versions, to me it seems to be an issue with the configuration commit during the boot up.

After loading a new image, config will already get committed during boot, here is where the errors may be seen. If the commit is successful during boot, no need to commit again. Since the config is not getting committed successfully, boot time commit is getting failed. If the boot time commit fails, pam.conf file will not get updated and login will fail.

As you are able to login with a local user account, I would suggest you to perform a commit and if it is successful, check if the Radius Auth works. If it still fails, just reboot the switch and the pam.conf should be updated. If it still fails, suggest to open a ticket with JTAC with the RSI and log files for further investigation.

Thanks,
Pradeep
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

Juniper Internal
Junos

Re: Junos 12.3R12-S13 brakes RADIUS CLI authentication

[ Edited ]
‎06-13-2019 04:56 AM

The problem is not related to wrong config commits.
We cannot create JTAC request because of expired support contracts.

P.S.
We were able to reproduce the problem in 100% of cases on different ex2200\3300 units.
I wrote this post just to warn juniper community about this problem and prevent someone "stepping on a rake".

Junos

Re: Junos 12.3R12-S13 brakes RADIUS CLI authentication

‎07-12-2019 01:25 AM

Got the same issue. Any clue Smiley Happy ?

Junos

Re: Junos 12.3R12-S13 brakes RADIUS CLI authentication

‎07-12-2019 11:58 AM

Hi There, 

 

It looks like there is a internal PR since multiple customer have reported the same issue, we will keep on track and update since Dev is working on it.

 

If this solves your problem, please mark this post as "Accepted Solution.

 

Thanks!

Franky