SRX Services Gateway
Highlighted
SRX Services Gateway

RADIUS authenticaiton on SRX1500

‎06-14-2019 02:44 AM

Hello there,

 

I've recently ran into a weird issue where I've got an SRX1500 that i'm wanting to eonnect to RADIUS-authentication.

 

Ths SRX is running in packet mode. 

Relevant configs below

 

authentication-order [ radius password ];
}
radius-server {
    1.2.3.4{
        port 1812;
        secret  ## SECRET-DATA
        timeout 3;
        retry 3;
        source-address loopback;
    }
    1.2.4.5 {
        port 1812;
        secret  ## SECRET-DATA
        timeout 3;
        retry 3;
        source-address loopback;
    }
}
    user remote {
        full-name all-remote-users;
        uid 2020;
        class super-user;
    }
}
processes {
    general-authentication-service {
        traceoptions {
            file radius;
            flag all;
        }
    }

I can see that when I try to authenticate with a RADIUS-user both the RADIUS machine will get an Access-Request packet and then it sends back Access-Accept to the SRX device, yet I am not able to login through radius anyway.

 

Traceoptions below:

Jun 14 10:45:49.497945 authd process starting, pid 17859 mode 2
Jun 14 10:45:49.498209 enter authd_radius_module_create
Jun 14 10:45:49.499199 authd_radius_module_config_init: result=SUCCESS
Jun 14 10:45:49.499216 created authd_radius_module
Jun 14 10:45:49.499229 LDAP:AUTH: create LDAP module
Jun 14 10:45:49.499241 LDAP:CONFIG: result=SUCCESS
Jun 14 10:45:49.499251 Local : enter authd_local_module_create
Jun 14 10:45:49.500718 Local : start authd_local_module_config_init
Jun 14 10:45:49.500741 Local : created authd local module
Jun 14 10:45:49.501698 SECURID:AUTH: create ACE module
Jun 14 10:45:49.501765 Entering AceInitializeEx()
Jun 14 10:45:49.548691 Leaving AceInitializeEx()
Jun 14 10:45:49.548764 Framework : enter authd_state_timer_init
Jun 14 10:45:49.550167 authd_config_read: old seq 0 and new one 27
Jun 14 10:45:49.551413  Termintate-code: no configuration
Jun 14 10:45:49.551501 host-name changed in system config
Jun 14 10:45:49.551599 Extensible Services mode turned OFF
Jun 14 10:45:49.551627  accounting-backup-options: no configuration
Jun 14 10:45:49.551641 AaaService::configRead
Jun 14 10:45:49.551650 AaaService::configReadAccess
Jun 14 10:45:49.551714 sendAcctOffRequests: Dont send ACCT-OFF as Gres recovery is not complete.
Jun 14 10:45:49.551753 configReadTunnelSwitchProfiles: no tunnel-switch profiles configured
Jun 14 10:45:49.551772 AaaService::configReadAaaAttachment
Jun 14 10:45:49.551783 delVrfTable: deleting vrf table
Jun 14 10:45:49.552216 addVrfEntry: Added VRF to table default; 0
Jun 14 10:45:49.552243 Config deleted for AAA routing context default:default
Jun 14 10:45:49.552278 Config deleted for AAA routing context default:default
Jun 14 10:45:49.552303 Config deleted for AAA routing context default:default
Jun 14 10:45:49.552327 Creating routing context default:default
Jun 14 10:45:49.553340 Creating client jdhcpd-client
Jun 14 10:45:49.553367 Adding rule External-Authority for client jdhcpd-client
Jun 14 10:45:49.553379 Adding rule Network-Match for client jdhcpd-client
Jun 14 10:45:49.553402 Clearing rule list
Jun 14 10:45:49.553602 Creating client jdhcpd-test-client
Jun 14 10:45:49.553616 Adding rule External-Authority for client jdhcpd-test-client
Jun 14 10:45:49.553627 Adding rule Network-Match for client jdhcpd-test-client
Jun 14 10:45:49.553638 Clearing rule list
Jun 14 10:45:49.553651 Adding rule External-Authority for client jdhcpd-client
Jun 14 10:45:49.553662 Adding rule Network-Match for client jdhcpd-client
Jun 14 10:45:49.553674 Adding rule External-Authority for client jdhcpd-test-client
Jun 14 10:45:49.553685 Adding rule Network-Match for client jdhcpd-test-client
Jun 14 10:45:49.553792 authd_config_access_object: dax_get_object_by_path returned FALSE
Jun 14 10:45:49.553806 authd_apply_acctg_config
Jun 14 10:45:49.553858 authd_cfg_interfaces_cb: Interface  not interested
Jun 14 10:45:49.553969 authd_cfg_interfaces_cb: DAX_ITEM_CHANGED [interface] ifd[ge-0/0/0]
Jun 14 10:45:49.554257 authd_cfg_interfaces_cb: DAX_ITEM_CHANGED [interface] ifd[ge-0/0/1]
Jun 14 10:45:49.554306 authd_cfg_interfaces_cb: DAX_ITEM_CHANGED [interface] ifd[ge-0/0/2]
Jun 14 10:45:49.554423 authd_cfg_interfaces_cb: DAX_ITEM_CHANGED [interface] ifd[ge-0/0/3]
Jun 14 10:45:49.554467 authd_cfg_interfaces_cb: DAX_ITEM_CHANGED [interface] ifd[ge-0/0/4]
Jun 14 10:45:49.554502 authd_cfg_interfaces_cb: DAX_ITEM_CHANGED [interface] ifd[ge-0/0/5]
Jun 14 10:45:49.554538 authd_cfg_interfaces_cb: DAX_ITEM_CHANGED [interface] ifd[ge-0/0/6]
Jun 14 10:45:49.554572 authd_cfg_interfaces_cb: DAX_ITEM_CHANGED [interface] ifd[ge-0/0/7]
Jun 14 10:45:49.554606 authd_cfg_interfaces_cb: DAX_ITEM_CHANGED [interface] ifd[ge-0/0/8]
Jun 14 10:45:49.554642 authd_cfg_interfaces_cb: DAX_ITEM_CHANGED [interface] ifd[ge-0/0/9]
Jun 14 10:45:49.554676 authd_cfg_interfaces_cb: DAX_ITEM_CHANGED [interface] ifd[ge-0/0/10]
Jun 14 10:45:49.554709 authd_cfg_interfaces_cb: DAX_ITEM_CHANGED [interface] ifd[ge-0/0/11]
Jun 14 10:45:49.554743 authd_cfg_interfaces_cb: DAX_ITEM_CHANGED [interface] ifd[ge-0/0/12]
Jun 14 10:45:49.554778 authd_cfg_interfaces_cb: DAX_ITEM_CHANGED [interface] ifd[ge-0/0/13]
Jun 14 10:45:49.554821 authd_cfg_interfaces_cb: DAX_ITEM_CHANGED [interface] ifd[ge-0/0/14]
Jun 14 10:45:49.554857 authd_cfg_interfaces_cb: DAX_ITEM_CHANGED [interface] ifd[ge-0/0/15]
Jun 14 10:45:49.554902 authd_cfg_interfaces_cb: DAX_ITEM_CHANGED [interface] ifd[xe-0/0/16]
Jun 14 10:45:49.554940 authd_cfg_interfaces_cb: DAX_ITEM_CHANGED [interface] ifd[xe-0/0/17]
Jun 14 10:45:49.554977 authd_cfg_interfaces_cb: DAX_ITEM_CHANGED [interface] ifd[xe-0/0/18]
Jun 14 10:45:49.555032 authd_cfg_interfaces_cb: DAX_ITEM_CHANGED [interface] ifd[xe-0/0/19]
Jun 14 10:45:49.555267 authd_cfg_interfaces_cb: Interface fxp0 not interested
Jun 14 10:45:49.555314 authd_cfg_interfaces_cb: Interface irb not interested
Jun 14 10:45:49.555342 authd_cfg_interfaces_cb: Interface lo0 not interested
Jun 14 10:45:49.555354 authd_config_read_interface: Radius-Options dax_query (interface) ret 0
Jun 14 10:45:49.555902 === Configuration load succeeded ===
Jun 14 10:45:49.557131 Framework : : SNMP Mib Tables init
Jun 14 10:45:49.564001 Startup: ISSU State is IDLE
Jun 14 10:45:49.565366 Framework : : SNMP trap (jnxAccessAuthServiceUp) result: <snmp-generate-trap-results xmlns="http://xml.juniper.net/junos/15.1X49/junos-snmp">
<snmp-generate-trap-result>trap sent successfully</snmp-generate-trap-result>
</snmp-generate-trap-results>

Jun 14 10:45:49.565608 serviceRadiusRequestQueues Cannot find configured request-rate, using default rate 500
Jun 14 10:45:50.158154 License registration complete
Jun 14 10:45:50.177680 ### GRES: recovery-done: prev-run-mode:other-backup run-mode:legacy-proto-master
Jun 14 10:45:50.177790 LI: trigger0-complete notitification received
Jun 14 10:45:50.178272 authd_unix_ipc_setup: ipc done sockfd is 43
Jun 14 10:45:50.178353 authd_auth_force_add_conn:Authd forcely add jipc-conn jdhcpd-client

Jun 14 10:45:50.178414 authd_auth_force_add_conn:Authd forcely add jipc-conn autoconfd-client

Jun 14 10:45:50.178477 authd_auth_force_add_conn:Authd forcely add jipc-conn dvlan-client

Jun 14 10:45:50.178618 authd_auth_force_add_conn:Authd forcely add jipc-conn jpppd-client

Jun 14 10:45:50.178672 authd_auth_force_add_conn:Authd forcely add jipc-conn essmd-client

Jun 14 10:45:50.178718 authd_auth_force_add_conn:Authd forcely add jipc-conn jsscd-client

Jun 14 10:45:50.178764 authd_auth_force_add_conn:Authd forcely add jipc-conn jdhcpd-test-client

Jun 14 10:45:50.178810 authd_auth_force_add_conn:Authd forcely add jipc-conn jpppd-test-client

Jun 14 10:45:50.178853 authd_auth_force_add_conn:Authd forcely add jipc-conn jl2tp-test-client

Jun 14 10:45:50.178962 authd_unix_ipc_setup: jipc-enable-client-io done
Jun 14 10:45:50.179001 authd_tcp_ipc_setup: TCP ipc init is done, sockfd is 45
Jun 14 10:45:50.445123 ### GRES: done:
Jun 14 10:45:50.445405 Notification of libstats socket opening
Jun 14 10:45:53.203931 authd_serv_listen: Got a new client tcp = no
Jun 14 10:45:53.204021 authd_serv_conn_new: accepted a new connection
Jun 14 10:45:53.204116 authd_read_msg: Fresh msg arrival. fd=46, hdr_read=0, hdr_remnant=0, payload_read=0 payload_remnant=0
Jun 14 10:45:53.204135 fresh message conn=0xa9b9000
Jun 14 10:45:53.204149 read fresh message conn=0xa9b9000 hdr_remnant=0 hdr_read=32
Jun 14 10:45:53.204160 Read payload for new message. fd=46, rqst_len=49
Jun 14 10:45:53.204169 Read payload for new message. fd=46, payload_len=17, rqst_len=49, cookie=0
Jun 14 10:45:53.204194 Process/Dispatch Client Message
Jun 14 10:45:53.204212 New Process/Dispatch Client Message
Jun 14 10:45:53.204251 authd_register_aaa_msg_create: num_of_tlvs:1
Jun 14 10:45:53.204278 authd_conn_extract_conn_id Register conn-id kmdiked-0-0-0
Jun 14 10:45:53.204290 authd_auth_force_add_conn:Authd forcely add conn 0xa9b9000, conn->fd is 46, conn->need_byteswap is no
Jun 14 10:45:53.204305 authd_conn_extract_conn_id tunnel support false
Jun 14 10:45:53.204314 authd_auth_send_answer: conn=a9b9000, reply-code=1 (OK), result-subopcode=25 (CLIENT_REGISTER_ACK), session-id:0, cookie=0, rply_len=28, num_tlv_blocks=0
Jun 14 10:45:53.204343 authd_auth_aaa_msg_destroy
Jun 14 10:45:53.204368 authd_auth_get_conn: Bad connection ID .
Jun 14 10:45:53.204487 authd_auth_aaa_msg_destructauth_aaa_msg: 0x8ef406c
Jun 14 10:45:53.204506 authd_write_conn: response is 0xa9b905c, total len is 28 and sent is 0
Jun 14 10:45:53.204738 authd_write_conn: response is 0xa9b905c, wrote 28 bytes

The device is running JunOS 15.1X49.D150

9 REPLIES 9
SRX Services Gateway

Re: RADIUS authenticaiton on SRX1500

‎06-14-2019 04:13 AM
Hi,

Can you attempt the Radius authentication again and share the snippet from "/var/log/messages" from the time of the login attempt.
Might give more information on the reason of failure.

Thanks and Regards,
Pradeep Kumar

Juniper Internal
SRX Services Gateway

Re: RADIUS authenticaiton on SRX1500

‎06-14-2019 04:33 AM

Hello,

 

Here's the output from /var/log/messages

 

sshd: rad_send_request: No valid RADIUS responses received
sshd[76855]: (pam_sm_authenticate): DEBUG: PAM_ACTUAL_USER: user1
sshd[76855]: (pam_sm_authenticate): DEBUG: PAM_USER: user1
sshd[76855]: (pam_sm_authenticate): DEBUG: Updating lock-attempts of user: 
user attempts: 16
sshd[76853]: error: PAM: authentication error for USER from 1.2.3.4
sshd: SSHD_LOGIN_FAILED: Login failed for user 'user1' from host '1.2.3.4'
sshd[76980]: rad_send_request: No valid RADIUS responses received
sshd[76980]: (pam_sm_authenticate): DEBUG: PAM_ACTUAL_USER: user1
sshd[76980]: (pam_sm_authenticate): DEBUG: PAM_USER: user1
sshd[76980]: (pam_sm_authenticate): DEBUG: Updating lock-attempts of user: user1       attempts: 17
sshd[76853]: error: PAM: authentication error for user1 from 1.2.3.4
sshd: SSHD_LOGIN_FAILED: Login failed for user 'user1' from host '1.2.3.4'

Now I see that it is failing however I stated prior to this the radius machine responds with a Access-Accept back to the SRX, we have countless Juniper devices where this all runs just fine Smiley Happy

SRX Services Gateway

Re: RADIUS authenticaiton on SRX1500

‎06-14-2019 04:43 AM

Looks like firewall filter is configured on this firewall as it is not receiving response from RADIUS server. Please check and disable firewall filter if it is configured to test the comunication or allow RADIUS traffic in filter.

show firewall 

show interfaces filter

 

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: RADIUS authenticaiton on SRX1500

‎06-14-2019 09:03 AM
Hello,

As mentioned, you can look into the firewall filters configuration if any and make sure they are not blocking the responses.

I see you mentioned that the server is responding with an Access-Access request, it might that the EX is having issues in processing the received key. As such, will you be able to try reconfiguring the Secret key on the SRX device and check.

Thanks and Regards,
Pradeep Kumar
Technical Support Engineer | Juniper Networks
*: +1-888-314-5822
*: pradkm@juniper.net




Juniper Internal
SRX Services Gateway

Re: RADIUS authenticaiton on SRX1500

‎06-14-2019 09:15 AM

Dazzler,

 

Can you provide a "show route [radius_server_address]" command? I would like to confirm if we are reaching the server via a routing-instance. If so please check:

 

https://www.kuncar.net/blog/2018/source-system-services-from-a-routing-instance/

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21085&actp=METADATA&act=login

 

 

 

Please mark this comment as the Solution if applicable
SRX Services Gateway

Re: RADIUS authenticaiton on SRX1500

‎06-16-2019 07:23 PM

Hi,

 

I see you are sourcing the RADIUS request from the loopback IP. I would check the following.

 

1. Filter on the loopback interface - show interfaces lo0

2. Routing for the loopback IP from the RADIUS server

     RADIUS reachability from loopback interface - "ping <radius-ip> interface lo0.0" would help confirm the reverse routing

 

Regards,

 

Vikas

 

SRX Services Gateway

Re: RADIUS authenticaiton on SRX1500

[ Edited ]
‎06-19-2019 01:51 AM

Hi,

 

I had missed a firewall filter so it was blocking the traffic.

Thank everyone, I've now learned a few good commands to use in the future Smiley Happy

SRX Services Gateway

Re: RADIUS authenticaiton on SRX1500

‎06-19-2019 02:09 AM

You can add log/syslog action in the firewall filter discard term to log the discarded packets.

Reference: https://www.juniper.net/documentation/en_US/junos/topics/example/firewall-filter-option-logging-exam...

To see discarded packets:

show firewall log

show log <syslog file name>

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: RADIUS authenticaiton on SRX1500

‎06-19-2019 10:01 AM

Dazzler it is advisable that you mark one of the comments as an Acepted Solution so future users will see the solution right from the begining of this forum.

 

Please mark my answer as the Solution if it applies.