SRX

Hi all, im going to be mad, i cannot authenticate user on radius server with Pass-Through authentication on my SRX1400 cluster.

Below configuration and some outputs.

Thanks in advance... if someone can help me!

me@JUNRM01> show configuration access   
profile PROFILO-RADIUS {
    authentication-order radius;
    radius-server {
        192.168.16.108 {
            secret "xxxxxxxxxxxxxx"; ## SECRET-DATA
            source-address 192.168.2.112;
        }
    }
}
firewall-authentication {
    pass-through {
        default-profile PROFILO-RADIUS;
        http {
            banner {
                login "PREGO INSERIRE CREDENZIALI DI ACCESSO";
                success "LOGIN ESEGUITA";
                fail "NOME UTENTE O PASSWORD ERRATI";
-------------------------------------------------------------------

POLICY to be matched

match {
    source-address PC_MAT_MMARASSI_10.198.1.20;
    destination-address any;
    application [ junos-http junos-http-ext junos-https ];
    source-identity any;
}
then {
    permit {
           firewall-authentication {
            pass-through {
                access-profile PROFILO-RADIUS;
            }
        }
    }
    count;
sh log radius

Dec 29 14:43:39.914243 ###################################################################
Dec 29 14:43:39.914279 ########################### AUTH REQ RCVD #########################
Dec 29 14:43:39.914314 ###################################################################
Dec 29 14:43:39.914392 Auth-FSM: Process Auth-Request for session-id:9261371437884501280
Dec 29 14:43:39.914446 Framework: Starting authentication
Dec 29 14:43:39.914489 authd_advance_module_for_aaa_request_msg: result:0
Dec 29 14:43:39.914544 Authd module start
Dec 29 14:43:39.914582 authd_radius_start_auth: Starting RADIUS authentication
Dec 29 14:43:39.914696 authd_radius_build_basic_auth_request: got params  profile=PROFILO-RADIUS, username=mberardi
Dec 29 14:43:39.914743 radius-access-request: User-Name added: mberardi
Dec 29 14:43:39.914780 radius-access-request: User-Password added: ""
Dec 29 14:43:39.914852 Verify source address c0a80270 (192.168.2.112) in routing instance index=0
Dec 29 14:43:39.915223 REQUEST: AUTHEN - module_index 0 module(radius) return: ASYNC
Dec 29 14:43:39.915293 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 10124
Dec 29 14:43:39.915346 UserAccess:mberardi session-id:9261371437884501280 state:start
Dec 29 14:43:39.992978 Radius result is CLIENT_REQ_STATUS_SUCCESS
Dec 29 14:43:39.993089 Framework - module(radius) return: FAILURE
Dec 29 14:43:39.993128 authd_advance_module_for_aaa_response_msg: result:3
Dec 29 14:43:39.993174  authd_auth_update_local_server_address ::Searching access profile PROFILO-RADIUS for local DNS Server
Dec 29 14:43:39.993236 Auth-FSM: reinterpretFsmEvent 4 to 5
Dec 29 14:43:39.993284 AuthFsm::current state=AuthStart(1) event=5 astEntry=0x208806c aaa msg=0x1f1106c
Dec 29 14:43:39.993324 Auth-FSM: Post the Auth-Response and clean up. session-id:9261371437884501280
Dec 29 14:43:39.993372 UserAccess:mberardi session-id:9261371437884501280 access-denied
Dec 29 14:43:39.993429 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 10124
Dec 29 14:43:39.993479 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 60
Dec 29 14:43:39.993574 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 62
Dec 29 14:43:39.993623 Framework: auth result is 2. Performing post-auth operations
Dec 29 14:43:39.993661 Framework: result is 2.
Dec 29 14:43:39.993703 authd_auth_send_answer: conn=2d3e000, reply-code=2 (FAIL), result-subopcode=2 (SESSION_ACTIVATE), sub-id=9261371437884501280, cookie=44, rply_len=3972, num_tlv_blocks=0
Dec 29 14:43:39.993790 Delete session:9261371437884501280
Dec 29 14:43:39.993842 Subscriber session-id:9261371437884501280 not found
Dec 29 14:43:39.993886 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 10124
Dec 29 14:43:39.993934 UserAccess:mberardi session-id:9261371437884501280 state:log-out
Dec 29 14:43:39.994029 Removing client snapshot
Dec 29 14:43:39.994197 authd_auth_aaa_msg_destroy
Dec 29 14:43:39.994253 authd_auth_aaa_msg_destructauth_aaa_msg: 0x1f1106c
Dec 29 14:43:39.994294 authd_write_conn: response is 0x2d3e05c, total len is 3972 and sent is 0
Dec 29 14:43:39.994370 authd_write_conn: response is 0x2d3e05c, wrote 3972 bytes
Dec 29 14:43:40.098675 serviceRadiusRequestQueues Serviced 1 RADIUS requests
Dec 29 14:43:40.098792 serviceRadiusRequestQueues Queue PROFILO-RADIUS has 0 requests, peak is 0

 show network-access aaa radius-servers

Profile: PROFILO-RADIUS
    Server address: 192.168.16.108
      Authentication port: 1812
      Accounting port: 1813
      Status: UP

These messages seem to indicate either the RADIUS auth failed or is sending back an unknown attribute.

Dec 29 14:43:39.992978 Radius result is CLIENT_REQ_STATUS_SUCCESS
Dec 29 14:43:39.993089 Framework - module(radius) return: FAILURE
Dec 29 14:43:39.993128 authd_advance_module_for_aaa_response_msg: result:3
Dec 29 14:43:39.993174 authd_auth_update_local_server_address :Smiley Frustratedearching access profile PROFILO-RADIUS for local DNS Server
Dec 29 14:43:39.993236 Auth-FSM: reinterpretFsmEvent 4 to 5
Dec 29 14:43:39.993284 AuthFsm::current state=AuthStart(1) event=5 astEntry=0x208806c aaa msg=0x1f1106c
Dec 29 14:43:39.993324 Auth-FSM: Post the Auth-Response and clean up. session-id:9261371437884501280
Dec 29 14:43:39.993372 UserAccess:mberardi session-id:9261371437884501280 access-denied
Dec 29 14:43:39.993429 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 10124

What does this commnad show?

show security firewall-authentication history

What do the logs on the RADIUS server say?

Hi Steve, the command is "shows sh log radius"

set system processes general-authentication-service traceoptions file radius

set system processes general-authentication-service traceoptions flag all

Im waiting for radius log because the customer will be back to the office, at 8th Jan.

I'll let you know.!

Thanks

Hi all.

I tried with "set access profile PROFILO-RADIUS radius authentication-server 192.168.16.108 " but no way.

Have you any suggestion? Now i have to collct radius logs, im waiting for radius manager.

thanks!

Here the "show log radius"

Jan  8 09:58:11.173299 ###################################################################
Jan  8 09:58:11.173335 ########################### AUTH REQ RCVD #########################
Jan  8 09:58:11.173370 ###################################################################
Jan  8 09:58:11.173406 Auth-FSM: Process Auth-Request for session-id:9261371476538466586
Jan  8 09:58:11.173455 Framework: Starting authentication
Jan  8 09:58:11.173498 authd_advance_module_for_aaa_request_msg: result:0
Jan  8 09:58:11.173546 Authd module start
Jan  8 09:58:11.173581 authd_radius_start_auth: Starting RADIUS authentication
Jan  8 09:58:11.174288 authd_radius_build_basic_auth_request: got params  profile=PROFILO-RADIUS, username=telmfalciatori
Jan  8 09:58:11.174337 radius-access-request: User-Name added: telmfalciatori
Jan  8 09:58:11.174374 radius-access-request: User-Password added: ""
Jan  8 09:58:11.174418 authd_create_application_specific_radius_server: Evaluating RADIUS server 0xc0a8106c to add to the server list
Jan  8 09:58:11.174489 Verify source address c0a80270 (192.168.2.112) in routing instance index=0
Jan  8 09:58:11.174904 REQUEST: AUTHEN - module_index 0 module(radius) return: ASYNC
Jan  8 09:58:11.174978 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 10124
Jan  8 09:58:11.175035 UserAccess:telmfalciatori session-id:9261371476538466586 state:start
Jan  8 09:58:11.201883 Radius result is CLIENT_REQ_STATUS_SUCCESS
Jan  8 09:58:11.201983 Framework - module(radius) return: FAILURE
Jan  8 09:58:11.202023 authd_advance_module_for_aaa_response_msg: result:3
Jan  8 09:58:11.202097  authd_auth_update_local_server_address ::Searching access profile PROFILO-RADIUS for local DNS Server
Jan  8 09:58:11.202160 Auth-FSM: reinterpretFsmEvent 4 to 5
Jan  8 09:58:11.202208 AuthFsm::current state=AuthStart(1) event=5 astEntry=0x208806c aaa msg=0x1f1106c
Jan  8 09:58:11.202249 Auth-FSM: Post the Auth-Response and clean up. session-id:9261371476538466586
Jan  8 09:58:11.202297 UserAccess:telmfalciatori session-id:9261371476538466586 access-denied
Jan  8 09:58:11.202354 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 10124
Jan  8 09:58:11.202405 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 60
Jan  8 09:58:11.202449 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 62
Jan  8 09:58:11.202497 Framework: auth result is 2. Performing post-auth operations
Jan  8 09:58:11.202535 Framework: result is 2.
Jan  8 09:58:11.202576 authd_auth_send_answer: conn=2d3e000, reply-code=2 (FAIL), result-subopcode=2 (SESSION_ACTIVATE), sub-id=9261371476538466586, cookie=53, rply_len=3972, num_tlv_blocks=0
Jan  8 09:58:11.202661 Delete session:9261371476538466586
Jan  8 09:58:11.202713 Subscriber session-id:9261371476538466586 not found
Jan  8 09:58:11.202756 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 10124
Jan  8 09:58:11.202847 UserAccess:telmfalciatori session-id:9261371476538466586 state:log-out
Jan  8 09:58:11.202941 Removing client snapshot
Jan  8 09:58:11.203120 authd_auth_aaa_msg_destroy
Jan  8 09:58:11.203177 authd_auth_aaa_msg_destructauth_aaa_msg: 0x1f1106c
Jan  8 09:58:11.203219 authd_write_conn: response is 0x2d3e05c, total len is 3972 and sent is 0
Jan  8 09:58:11.203294 authd_write_conn: response is 0x2d3e05c, wrote 3972 bytes
Jan  8 09:58:12.097355 serviceRadiusRequestQueues Serviced 1 RADIUS requests
Jan  8 09:58:12.097467 serviceRadiusRequestQueues Queue PROFILO-RADIUS has 0 requests, peak is 0
Jan  8 10:01:12.083981 authd_read_msg: Fresh msg arrival. fd=42, hdr_read=0, hdr_remnant=0, payload_read=0 payload_remnant=0
Jan  8 10:01:12.084091 fresh message conn=0x2d3e000
Jan  8 10:01:12.084141 read fresh message conn=0x2d3e000 hdr_remnant=0 hdr_read=32
Jan  8 10:01:12.084179 Read payload for new message. fd=42, rqst_len=83
Jan  8 10:01:12.084215 Read payload for new message. fd=42, payload_len=51, rqst_len=83, cookie=54
Jan  8 10:01:12.084279 Process/Dispatch Client Message

The log messages seem to show a issue with the RADIUS server response. 

Jan  8 09:58:11.175035 UserAccess:telmfalciatori session-id:9261371476538466586 state:start
Jan  8 09:58:11.201883 Radius result is CLIENT_REQ_STATUS_SUCCESS
Jan  8 09:58:11.201983 Framework - module(radius) return: FAILURE

I'm not sure if the request is rejected as incorrect by the server or if the server is returning an invalid attribute on the RADIUS accept.  The vendor specific attribute on an accept should be the user name you want the permissions to map to.  so this should be a user configured on the system.  This can be a special account or a built in one.

https://www.juniper.net/documentation/en_US/junos/topics/reference/general/radius-vendor-specific-attributes-juniper-networks.html

https://www.juniper.net/documentation/en_US/junos/topics/example/radius-template-account-configuring.html

You can do a packet capture of the requests on the SRX to verify from the contents what is being sent by the server.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21563

Anyway now i can connect SRX to Radius Server (Microsoft) but only without any authentication protocol.
Can you confirm that SRX cannot establish connections with CHAP ?

Add ms chap v2 to your radius options.

set system radius-options password-protocol mschap-v2

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/radius-chap.html

Hi Steve, thanks.

I also read this: https://pathfinder.juniper.net/feature-explorer/feature-info.html?fKey=2696&fn=RADIUS%20MSCHAPv2%20protocol%20support%20for%20administrator%20authentication,%20password%20aging,%20and%20update .

It works only in clear mode.