SRX Services Gateway
Highlighted
SRX Services Gateway

Radius Auth Issues with Dynamic VPN

‎03-05-2019 10:56 AM

Hello,

I am in the process of setting up RADIUS authentication for a dynamic VPN.  Unfortunately, it is not working.  I have tracing turned on for authentication, and am getting this error message:

 

Mar 5 18:34:16.479967 Local : authd_local_lite_auth: got params profile=ad01-cg-radius, username=dramage
Mar 5 18:34:16.479973 Local : start authd_local_lookup
Mar 5 18:34:16.479978 Local : profile ad01-cg-radius NOT found

 

This confuses me, becausethat profile exists:

ec2-user@VSRX2> show configuration access
profile ad01-cg-radius {
address-assignment {
pool Corios-VPN;
}
radius {
authentication-server 10.1.10.40;
accounting-server 10.1.10.40;
}
radius-server {
10.1.10.40 {
port 1812;
secret "BIG IMPORTANT SECRET HERE"; ## SECRET-DATA
timeout 15;
retry 2;
source-address 172.16.101.6;
routing-instance vpn_gateway;
}
}
accounting {
order radius;
accounting-stop-on-failure;
accounting-stop-on-access-deny;
}
}

 

 

Here's where I have it applied to the IKE gateway:

gateway Corios-VPN-IKE-GW {
ike-policy Corios-VPN-IKE-Pol;
dynamic {
user-at-hostname "itadmins@coriosgroup.com";
connections-limit 2;
ike-user-type shared-ike-id;
}
dead-peer-detection;
local-identity inet XXX.XXX.XXX.XXX;
external-interface ge-0/0/1.0;
aaa {
access-profile ad01-cg-radius;
}
version v1-only;
tcp-encap-profile NCP;
}

 

I should also mention that I have no connectivity problems if I switch over to local authentication.

 

Thanks in advance for your help.

1 ACCEPTED SOLUTION

Accepted Solutions
SRX Services Gateway
Solution
Accepted by topic author dramage
‎03-05-2019 01:58 PM

Re: Radius Auth Issues with Dynamic VPN

‎03-05-2019 11:26 AM

I see that authentication order is missing in your access profile config. Did you try after adding it?

set access profile ad01-cg-radius authentication-order radius

 

is your radius server reachable via routing-instance or via inet.0 (global routing table)?

 

 

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790), CCIE RS #48338
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
2 REPLIES 2
SRX Services Gateway
Solution
Accepted by topic author dramage
‎03-05-2019 01:58 PM

Re: Radius Auth Issues with Dynamic VPN

‎03-05-2019 11:26 AM

I see that authentication order is missing in your access profile config. Did you try after adding it?

set access profile ad01-cg-radius authentication-order radius

 

is your radius server reachable via routing-instance or via inet.0 (global routing table)?

 

 

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790), CCIE RS #48338
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Radius Auth Issues with Dynamic VPN

‎03-05-2019 01:59 PM

Adding the authentication order statement caused it to attempt to use the profile, and you were right, it should not have been in the routing instance.  Thank you for your help.