SRX Services Gateway
Highlighted
SRX Services Gateway

Radius authentication for management access (J-Web)

‎02-08-2013 03:38 AM

Okay so next question,

 

We need to control managment access to the 240's via Radius, the following config is on the 240.

 

radius-server {

        172.xx.x.xx {

port 1812;

            accounting-port 1813;

            secret "$9$hzdrlv-dsgaU-dqf5QCA0O1IhrWLNVs4IEvL7NbwfTQ"; ## SECRET-DATA

            timeout 5;

            retry 3;

        }

    }

    radius-options {

        password-protocol mschap-v2;

user remote {

            full-name "default remote access user template";

            uid 2002;

            class super-user;

 

and the radius server (MS NPS 6.1 running on win 2008 R2)

Constraints - Authentication Methods

EAP Types

       Microsoft: Secured password (EAP-MSCHAP v2)

 

Settings

Radius Attributes

         Service-Type Login

Vendor Specific

          Vendor Code 2636 (Value) remote

           Attribute number : 1

           Attribute format : string 

 

We can see the request from the 240 hitting the Radius (NPS) server but get an "Invalid username or Password supplied" message returned in J-Web

 

 

 

          

 

 

 

 

 

 

9 REPLIES 9
Highlighted
SRX Services Gateway

Re: Radius authentication for management access (J-Web)

[ Edited ]
‎02-08-2013 04:55 AM

Change your Authentication Method to PAP/SPAP and it will work.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Highlighted
SRX Services Gateway

Re: Radius authentication for management access (J-Web)

‎02-08-2013 05:33 AM

Hi

 

Have changed NPS (Radius) config to PAP. SPAP and it has made no difference.

 

Any other pointers ?

Highlighted
SRX Services Gateway

Re: Radius authentication for management access (J-Web)

[ Edited ]
‎02-08-2013 05:38 AM

Wha do you see in the event log on the server? NPS logs the authenication result in either application or system. I am assuming you have the correct AD group mapped. Have you tried just using service type of Radius Standard and not the vendor specific attribute?

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Highlighted
SRX Services Gateway

Re: Radius authentication for management access (J-Web)

‎02-08-2013 06:51 AM

Hi,

 

I have tried just about everthing , windows groups are correct as its the same group we use for other device managment access,

Constraints I have removed all but PAP.SPAP, added all options

Radius Atttributes I have deleted Vendor specific , deleted vendor specific , tried service type login and so forth.

 

I can see my requests hitting the NPS as it creates entries in the log.

Highlighted
SRX Services Gateway

Re: Radius authentication for management access (J-Web)

‎02-08-2013 07:07 AM

I have this up and running with no problems. I am in the field today so I don't have inside access to my boxes. If you don't get it fixed feel free to send me a private message and I can take a good look at my configs when I am in the office over the weekend and let you know exactly how I have it working.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Highlighted
SRX Services Gateway

Re: Radius authentication for management access (J-Web)

‎02-08-2013 05:03 PM

I did some testing and replicated most of your configuration. I used ms-chapv2, no local user - only the "remote" user defined on the box. Had no issues whatsoever - even tried it with the vendor specific attribute. 

 

NOW! I am NOT a Windows guy - I know just enough to be dangerous. But in looking at how I set this up I have three key entries:

 

1- Radius Client - IP addr and password - I am sure you have correct

2- Connection Request Policy - The standard "use Windows authentication for all users" is controllling my setup - I made sure that mschapv2 or PAP/SPAP (depending on how I was testing) was defined - otherwise it was standard - no other changes

3- Network Policy - Defined a new policy - set condition to map to a specific Windows group. Set constraints, authentication to map to mschapv2 or PAP/SPAP (depending on how I was testing) Just used the two standard radius return attributes, and then also added the Juniper vendor code - but it made no difference - I was always sucessful.

 

The one issue that has tripped me up was making sure that my auth method was in sync between my SRX, the connection request policy and the network policy. 

 

I hope this makes sense / helps - be glad to screen shot my whole setup and send it to you. Let me know.

 

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Highlighted
SRX Services Gateway

Re: Radius authentication for management access (J-Web)

‎02-10-2013 10:57 AM

Hi,

 

I think we are going to scrap using Junipers and revert to our Cisco's, they just work out of the box. I fail to understand why it has to be so hard with the Junipers.

 

Thanks to all (especially Kevin) .

 

 

Scott.

 

 

Highlighted
SRX Services Gateway

Re: Radius authentication for management access (J-Web)

‎06-19-2013 04:07 PM

Hello Kevin,

 

I've run into the same issue.

 

Would you be so kind as to share your screenshots?

 

Thank you,

Akash

Highlighted
SRX Services Gateway

Re: Radius authentication for management access (J-Web)

‎11-19-2014 09:09 AM

Sorry...I know this is an old thread at this point, but I was just working with this last night so I felt compelled to respond.  🙂

 

Junos is a different approach and needs some time to understand the nuances. Once you do, you'll wonder why you loved IOS so much.  Smiley Happy

 

In recent versions of Junos 12.3 and later (perhaps the feature was delivered earlier, I do not know when), but there is now an option to force the RADIUS authentication to use MS-CHAPv2 instead of the default PAP authentication.  It's a more secure EAP method and is the default mode that Microsoft's IAS RADIUS will support.

 

In order to specify the EAP method:

 

global {
system {
authentication-order [ radius password ];
radius-server {
192.168.1.2 {
port 1812;
accounting-port 1813;
secret ## SECRET-DATA
timeout 30;
retry 3;
source-address 192.168.1.1;
}
}
radius-options {
password-protocol mschap-v2;
attributes {
nas-ip-address 192.168.1.1;
}
}
login {
user RO {
uid 2004;
class read-only;
}
user SU {
uid 2006;
class super-user;
}
}
}
}
}

Feedback