SRX Services Gateway
SRX Services Gateway

Issue with setting up network admin Auth via. ldap/NPS

‎12-09-2019 12:28 AM



So i am trying to setup our network applienses to use radius to authenticate our admins when they need to make changes to switches and firewalls.


I am testing the setup on a vSRX, but cant get it to work.


have gotten to the point where i via. a wireshark can see the radius request hit the server, but the radius does not see the request at all.


The setup is:

1 windows domain controller with NPS installed

1 vSRX setup to use radius

Used the following guide:


As it is now, the NPS log does not see the requests at all, but as started earlier i can see that the request packets are recieved on that specific server.

Does anybody know of a better guide to setup this or have any pointers?

SRX Services Gateway

Re: Issue with setting up network admin Auth via. ldap/NPS

a week ago

Since you can see the request packet arriving on the server but ignored by NPS this means that at least one of the match conditions in your NPS setup for the Juniper client is not correct.  


Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
SRX Services Gateway

Re: Issue with setting up network admin Auth via. ldap/NPS

[ Edited ]


Can you share switch and NPS config?

  • vSRX - did you configure source-address? If your NPS logging is correctly set, you can see errors if the source-address does not match with what is set on NPS. Without source-address specified Junos might use a different IP depending on your configuration
    ex3400vc> show configuration system radius-server {
        port 1812;
        secret "$9$1encryptedpasswordhere"; ## SECRET-DATA
  • vSRX - make sure your secret did not include some special characters Junos has special use for, keep it simple first like Password123 to test
  • NPS - show what you have set in Connection Request Policies and Network Policies
  • NPS - Network Policies most important setting would be Vendor-Specific will need to match your vSRX login user remote to be mapped to super-user (default)


hope that helps