SRX

Hello,

I am in the process of setting up RADIUS authentication for a dynamic VPN.  Unfortunately, it is not working.  I have tracing turned on for authentication, and am getting this error message:

Mar 5 18:34:16.479967 Local : authd_local_lite_auth: got params profile=ad01-cg-radius, username=dramage
Mar 5 18:34:16.479973 Local : start authd_local_lookup
Mar 5 18:34:16.479978 Local : profile ad01-cg-radius NOT found

This confuses me, becausethat profile exists:

ec2-user@VSRX2> show configuration access
profile ad01-cg-radius {
address-assignment {
pool Corios-VPN;
}
radius {
authentication-server 10.1.10.40;
accounting-server 10.1.10.40;
}
radius-server {
10.1.10.40 {
port 1812;
secret "BIG IMPORTANT SECRET HERE"; ## SECRET-DATA
timeout 15;
retry 2;
source-address 172.16.101.6;
routing-instance vpn_gateway;
}
}
accounting {
order radius;
accounting-stop-on-failure;
accounting-stop-on-access-deny;
}
}

Here's where I have it applied to the IKE gateway:

gateway Corios-VPN-IKE-GW {
ike-policy Corios-VPN-IKE-Pol;
dynamic {
user-at-hostname "itadmins@coriosgroup.com";
connections-limit 2;
ike-user-type shared-ike-id;
}
dead-peer-detection;
local-identity inet XXX.XXX.XXX.XXX;
external-interface ge-0/0/1.0;
aaa {
access-profile ad01-cg-radius;
}
version v1-only;
tcp-encap-profile NCP;
}

I should also mention that I have no connectivity problems if I switch over to local authentication.

Thanks in advance for your help.

I see that authentication order is missing in your access profile config. Did you try after adding it?

set access profile ad01-cg-radius authentication-order radius

is your radius server reachable via routing-instance or via inet.0 (global routing table)?

Adding the authentication order statement caused it to attempt to use the profile, and you were right, it should not have been in the routing instance.  Thank you for your help.