SRX

Expand all | Collapse all

Server Radius and Srx1400 problem with Pass-Through Authentication

Jump to Best Answer
  • 1.  Server Radius and Srx1400 problem with Pass-Through Authentication

    Posted 12-29-2017 05:59

    Hi all, im going to be mad, i cannot authenticate user on radius server with Pass-Through authentication on my SRX1400 cluster.

    Below configuration and some outputs.

     

    Thanks in advance... if someone can help me!

     

    me@JUNRM01> show configuration access   
    profile PROFILO-RADIUS {
        authentication-order radius;
        radius-server {
            192.168.16.108 {
                secret "xxxxxxxxxxxxxx"; ## SECRET-DATA
                source-address 192.168.2.112;
            }
        }
    }
    firewall-authentication {
        pass-through {
            default-profile PROFILO-RADIUS;
            http {
                banner {
                    login "PREGO INSERIRE CREDENZIALI DI ACCESSO";
                    success "LOGIN ESEGUITA";
                    fail "NOME UTENTE O PASSWORD ERRATI";
    -------------------------------------------------------------------

    POLICY to be matched

    match {
        source-address PC_MAT_MMARASSI_10.198.1.20;
        destination-address any;
        application [ junos-http junos-http-ext junos-https ];
        source-identity any;
    }
    then {
        permit {
               firewall-authentication {
                pass-through {
                    access-profile PROFILO-RADIUS;
                }
            }
        }
        count;
    sh log radius

    Dec 29 14:43:39.914243 ###################################################################
    Dec 29 14:43:39.914279 ########################### AUTH REQ RCVD #########################
    Dec 29 14:43:39.914314 ###################################################################
    Dec 29 14:43:39.914392 Auth-FSM: Process Auth-Request for session-id:9261371437884501280
    Dec 29 14:43:39.914446 Framework: Starting authentication
    Dec 29 14:43:39.914489 authd_advance_module_for_aaa_request_msg: result:0
    Dec 29 14:43:39.914544 Authd module start
    Dec 29 14:43:39.914582 authd_radius_start_auth: Starting RADIUS authentication
    Dec 29 14:43:39.914696 authd_radius_build_basic_auth_request: got params  profile=PROFILO-RADIUS, username=mberardi
    Dec 29 14:43:39.914743 radius-access-request: User-Name added: mberardi
    Dec 29 14:43:39.914780 radius-access-request: User-Password added: ""
    Dec 29 14:43:39.914852 Verify source address c0a80270 (192.168.2.112) in routing instance index=0
    Dec 29 14:43:39.915223 REQUEST: AUTHEN - module_index 0 module(radius) return: ASYNC
    Dec 29 14:43:39.915293 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 10124
    Dec 29 14:43:39.915346 UserAccess:mberardi session-id:9261371437884501280 state:start
    Dec 29 14:43:39.992978 Radius result is CLIENT_REQ_STATUS_SUCCESS
    Dec 29 14:43:39.993089 Framework - module(radius) return: FAILURE
    Dec 29 14:43:39.993128 authd_advance_module_for_aaa_response_msg: result:3
    Dec 29 14:43:39.993174  authd_auth_update_local_server_address ::Searching access profile PROFILO-RADIUS for local DNS Server
    Dec 29 14:43:39.993236 Auth-FSM: reinterpretFsmEvent 4 to 5
    Dec 29 14:43:39.993284 AuthFsm::current state=AuthStart(1) event=5 astEntry=0x208806c aaa msg=0x1f1106c
    Dec 29 14:43:39.993324 Auth-FSM: Post the Auth-Response and clean up. session-id:9261371437884501280
    Dec 29 14:43:39.993372 UserAccess:mberardi session-id:9261371437884501280 access-denied
    Dec 29 14:43:39.993429 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 10124
    Dec 29 14:43:39.993479 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 60
    Dec 29 14:43:39.993574 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 62
    Dec 29 14:43:39.993623 Framework: auth result is 2. Performing post-auth operations
    Dec 29 14:43:39.993661 Framework: result is 2.
    Dec 29 14:43:39.993703 authd_auth_send_answer: conn=2d3e000, reply-code=2 (FAIL), result-subopcode=2 (SESSION_ACTIVATE), sub-id=9261371437884501280, cookie=44, rply_len=3972, num_tlv_blocks=0
    Dec 29 14:43:39.993790 Delete session:9261371437884501280
    Dec 29 14:43:39.993842 Subscriber session-id:9261371437884501280 not found
    Dec 29 14:43:39.993886 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 10124
    Dec 29 14:43:39.993934 UserAccess:mberardi session-id:9261371437884501280 state:log-out
    Dec 29 14:43:39.994029 Removing client snapshot
    Dec 29 14:43:39.994197 authd_auth_aaa_msg_destroy
    Dec 29 14:43:39.994253 authd_auth_aaa_msg_destructauth_aaa_msg: 0x1f1106c
    Dec 29 14:43:39.994294 authd_write_conn: response is 0x2d3e05c, total len is 3972 and sent is 0
    Dec 29 14:43:39.994370 authd_write_conn: response is 0x2d3e05c, wrote 3972 bytes
    Dec 29 14:43:40.098675 serviceRadiusRequestQueues Serviced 1 RADIUS requests
    Dec 29 14:43:40.098792 serviceRadiusRequestQueues Queue PROFILO-RADIUS has 0 requests, peak is 0

     

     show network-access aaa radius-servers

     

    Profile: PROFILO-RADIUS
        Server address: 192.168.16.108
          Authentication port: 1812
          Accounting port: 1813
          Status: UP


     



  • 2.  RE: Server Radius and Srx1400 problem with Pass-Through Authentication

     
    Posted 01-02-2018 02:58

    These messages seem to indicate either the RADIUS auth failed or is sending back an unknown attribute.

    Dec 29 14:43:39.992978 Radius result is CLIENT_REQ_STATUS_SUCCESS
    Dec 29 14:43:39.993089 Framework - module(radius) return: FAILURE
    Dec 29 14:43:39.993128 authd_advance_module_for_aaa_response_msg: result:3
    Dec 29 14:43:39.993174 authd_auth_update_local_server_address :Smiley Frustratedearching access profile PROFILO-RADIUS for local DNS Server
    Dec 29 14:43:39.993236 Auth-FSM: reinterpretFsmEvent 4 to 5
    Dec 29 14:43:39.993284 AuthFsm::current state=AuthStart(1) event=5 astEntry=0x208806c aaa msg=0x1f1106c
    Dec 29 14:43:39.993324 Auth-FSM: Post the Auth-Response and clean up. session-id:9261371437884501280
    Dec 29 14:43:39.993372 UserAccess:mberardi session-id:9261371437884501280 access-denied
    Dec 29 14:43:39.993429 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 10124

     

    What does this commnad show?

    show security firewall-authentication history

     

    What do the logs on the RADIUS server say?

     



  • 3.  RE: Server Radius and Srx1400 problem with Pass-Through Authentication

    Posted 01-02-2018 17:56
    Add this to your configuration;
    set access profile PROFILO-RADIUS radius authentication-server 192.168.16.108


  • 4.  RE: Server Radius and Srx1400 problem with Pass-Through Authentication

    Posted 01-03-2018 01:39


    Hi Steve, the command is "shows sh log radius"

    set system processes general-authentication-service traceoptions file radius

    set system processes general-authentication-service traceoptions flag all

    Im waiting for radius log because the customer will be back to the office, at 8th Jan.

    I'll let you know.!

    Thanks



  • 5.  RE: Server Radius and Srx1400 problem with Pass-Through Authentication

    Posted 01-08-2018 01:29

    Hi all.

    I tried with "set access profile PROFILO-RADIUS radius authentication-server 192.168.16.108 " but no way.

    Have you any suggestion? Now i have to collct radius logs, im waiting for radius manager.

    thanks!

    Here the "show log radius"

     

    Jan  8 09:58:11.173299 ###################################################################
    Jan  8 09:58:11.173335 ########################### AUTH REQ RCVD #########################
    Jan  8 09:58:11.173370 ###################################################################
    Jan  8 09:58:11.173406 Auth-FSM: Process Auth-Request for session-id:9261371476538466586
    Jan  8 09:58:11.173455 Framework: Starting authentication
    Jan  8 09:58:11.173498 authd_advance_module_for_aaa_request_msg: result:0
    Jan  8 09:58:11.173546 Authd module start
    Jan  8 09:58:11.173581 authd_radius_start_auth: Starting RADIUS authentication
    Jan  8 09:58:11.174288 authd_radius_build_basic_auth_request: got params  profile=PROFILO-RADIUS, username=telmfalciatori
    Jan  8 09:58:11.174337 radius-access-request: User-Name added: telmfalciatori
    Jan  8 09:58:11.174374 radius-access-request: User-Password added: ""
    Jan  8 09:58:11.174418 authd_create_application_specific_radius_server: Evaluating RADIUS server 0xc0a8106c to add to the server list
    Jan  8 09:58:11.174489 Verify source address c0a80270 (192.168.2.112) in routing instance index=0
    Jan  8 09:58:11.174904 REQUEST: AUTHEN - module_index 0 module(radius) return: ASYNC
    Jan  8 09:58:11.174978 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 10124
    Jan  8 09:58:11.175035 UserAccess:telmfalciatori session-id:9261371476538466586 state:start
    Jan  8 09:58:11.201883 Radius result is CLIENT_REQ_STATUS_SUCCESS
    Jan  8 09:58:11.201983 Framework - module(radius) return: FAILURE
    Jan  8 09:58:11.202023 authd_advance_module_for_aaa_response_msg: result:3
    Jan  8 09:58:11.202097  authd_auth_update_local_server_address ::Searching access profile PROFILO-RADIUS for local DNS Server
    Jan  8 09:58:11.202160 Auth-FSM: reinterpretFsmEvent 4 to 5
    Jan  8 09:58:11.202208 AuthFsm::current state=AuthStart(1) event=5 astEntry=0x208806c aaa msg=0x1f1106c
    Jan  8 09:58:11.202249 Auth-FSM: Post the Auth-Response and clean up. session-id:9261371476538466586
    Jan  8 09:58:11.202297 UserAccess:telmfalciatori session-id:9261371476538466586 access-denied
    Jan  8 09:58:11.202354 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 10124
    Jan  8 09:58:11.202405 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 60
    Jan  8 09:58:11.202449 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 62
    Jan  8 09:58:11.202497 Framework: auth result is 2. Performing post-auth operations
    Jan  8 09:58:11.202535 Framework: result is 2.
    Jan  8 09:58:11.202576 authd_auth_send_answer: conn=2d3e000, reply-code=2 (FAIL), result-subopcode=2 (SESSION_ACTIVATE), sub-id=9261371476538466586, cookie=53, rply_len=3972, num_tlv_blocks=0
    Jan  8 09:58:11.202661 Delete session:9261371476538466586
    Jan  8 09:58:11.202713 Subscriber session-id:9261371476538466586 not found
    Jan  8 09:58:11.202756 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 10124
    Jan  8 09:58:11.202847 UserAccess:telmfalciatori session-id:9261371476538466586 state:log-out
    Jan  8 09:58:11.202941 Removing client snapshot
    Jan  8 09:58:11.203120 authd_auth_aaa_msg_destroy
    Jan  8 09:58:11.203177 authd_auth_aaa_msg_destructauth_aaa_msg: 0x1f1106c
    Jan  8 09:58:11.203219 authd_write_conn: response is 0x2d3e05c, total len is 3972 and sent is 0
    Jan  8 09:58:11.203294 authd_write_conn: response is 0x2d3e05c, wrote 3972 bytes
    Jan  8 09:58:12.097355 serviceRadiusRequestQueues Serviced 1 RADIUS requests
    Jan  8 09:58:12.097467 serviceRadiusRequestQueues Queue PROFILO-RADIUS has 0 requests, peak is 0
    Jan  8 10:01:12.083981 authd_read_msg: Fresh msg arrival. fd=42, hdr_read=0, hdr_remnant=0, payload_read=0 payload_remnant=0
    Jan  8 10:01:12.084091 fresh message conn=0x2d3e000
    Jan  8 10:01:12.084141 read fresh message conn=0x2d3e000 hdr_remnant=0 hdr_read=32
    Jan  8 10:01:12.084179 Read payload for new message. fd=42, rqst_len=83
    Jan  8 10:01:12.084215 Read payload for new message. fd=42, payload_len=51, rqst_len=83, cookie=54
    Jan  8 10:01:12.084279 Process/Dispatch Client Message



  • 6.  RE: Server Radius and Srx1400 problem with Pass-Through Authentication

     
    Posted 01-08-2018 02:44

    The log messages seem to show a issue with the RADIUS server response. 

     

    Jan  8 09:58:11.175035 UserAccess:telmfalciatori session-id:9261371476538466586 state:start
    Jan  8 09:58:11.201883 Radius result is CLIENT_REQ_STATUS_SUCCESS
    Jan  8 09:58:11.201983 Framework - module(radius) return: FAILURE

     

    I'm not sure if the request is rejected as incorrect by the server or if the server is returning an invalid attribute on the RADIUS accept.  The vendor specific attribute on an accept should be the user name you want the permissions to map to.  so this should be a user configured on the system.  This can be a special account or a built in one.

     

    https://www.juniper.net/documentation/en_US/junos/topics/reference/general/radius-vendor-specific-attributes-juniper-networks.html

    https://www.juniper.net/documentation/en_US/junos/topics/example/radius-template-account-configuring.html

     

    You can do a packet capture of the requests on the SRX to verify from the contents what is being sent by the server.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB21563

     



  • 7.  RE: Server Radius and Srx1400 problem with Pass-Through Authentication

    Posted 01-10-2018 00:49

    Anyway now i can connect SRX to Radius Server (Microsoft) but only without any authentication protocol.
    Can you confirm that SRX cannot establish connections with CHAP ?



  • 8.  RE: Server Radius and Srx1400 problem with Pass-Through Authentication

     
    Posted 01-10-2018 02:59

    Add ms chap v2 to your radius options.

     

    set system radius-options password-protocol mschap-v2

     

    https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/radius-chap.html

     



  • 9.  RE: Server Radius and Srx1400 problem with Pass-Through Authentication
    Best Answer

    Posted 01-16-2018 03:29