I am trying to get RADIUS centralised administration working on the SRX1500s we have and it just will not work.
RADIUS (radius VR) --- SRX --- Customer VR ---- Core router
So, the Core router authenticates fine with no issues.
It uses the same route to get to the RADIUS that the SRX uses. I am useing the Customer-VR interface as the source address and the correct shared password. All the routing is fine or the Core would not work.
Here is my configuration on the SRX:
set system authentication-order radiusset system authentication-order password
set system radius-server 192.168.100.1 secret "$9$-Gd2aji.5z6qm6Au1yrLxNdYgaZUH.P"set system radius-server 192.168.100.1 retry 3set system radius-server 192.168.100.1 source-address 192.168.200.1
set system login user remote full-name "RADIUS Authenticated"set system login user remote uid 9999set system login user remote class read-only
set system login user RO uid 2008set system login user RO class read-onlyset system login user SU uid 2009set system login user SU class super-user
set system login user OP uid 2007set system login user OP class operator
The RADIUS has been configured correctly too or I would not be able to logon to other systems using it.
When I run a traceoptions tthe file is empty, so it is almost like the SRX is not even attempting to contact the RADIUS Server.
There must be something on the SRX that needs enabling for this to work. Could someone help please.
Below KB not helpful?
Absolutely no luck at all.
The radius log is empty.
As I mentioned, it is like the SRX is not even sending any requests to the RADIUS server. The core is connected to AE1 and that is the source address I am using for the SRX. So, if the core works then the SRX should. Routing is okay, ping and traceroute is fine.
Can you try connecting via default routing instance instead of custom VR? This will help to isolate if its a limitation with VRs
I used the loopback interface but I get the same result. It is like it is not even checking the RADIUS.
I don't have an inet.0 routing table as we are using all VRs. So, the default route will show as "No route to host"... maybe this is an issue.... but it should work through the VRs.
If I just run a "show route 192.168.100.1" command without choosing a VR I actually get the correct routes via the correct VRs as shown:
Clive@THW-SRX-01# run show route 192.168.100.1
Customer-VR.inet.0: 50 destinations, 50 routes (50 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both
192.168.100.0/30 *[IS-IS/15] 5w6d 18:12:16, metric 20 > to 192.168.100.48 via lt-0/0/0.2
ninegroup-radius.inet.0: 44 destinations, 44 routes (44 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both
192.168.100.0/30 *[Direct/0] 5w6d 18:12:17 > via ge-0/0/2.0
This is not possible on an SRX1500.
I have lo0 unit 0 already configured and have tried this as the routes exist in the routing tables.
The problem with configuring an SRX with more than 1 loopback interface is that you have to configure that said interface under a VR first or it does not accept the configuration, as shown below:
[edit interfaces lo0] 'unit 1' if_instance: Multiple loopback interfaces not permitted in master routing instanceerror: configuration check-out failed
So, I have already tried with loopback 0 and I get the same result. Absolutely nothing.
Okay Suraj. We are getting there now.
There is no route back to the lo0 interface. However, when installing the route into the routing table I still get the following on the radius-VR:
set routing-options static route 192.168.100.1/32 next-table Customer-VR.inet.0
0.0.0.0/0 *[IS-IS/160] 4d 19:20:17, metric 20 > to 192.168.200.49 via lt-0/0/0.1
Then this route obviously goes nowehere.... on purpose.
Sorry. Did not work.
I can choose any of the VRs and it will put the route into that particular VR but it places it in as a direct route to lo0. This won't work, I don't think, as we use VRs and Logical Tunnel between the VRs. I cannot ping the loopback from the VR I have placed the route in. That could be because all the policies that are in place do not reference inet.0.
Here's the output:
ninegroup-radius.inet.0: 45 destinations, 45 routes (45 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both
192.168.50.1/32 *[Direct/0] 00:00:03 > via lo0.0
And the ping result:
Clive@THW-SRX-01# run ping 188.8.131.52 routing-instance ninegroup-radiusPING 192.168.50.1 (192.168.50.1): 56 data bytes^C--- 192.168.50.1 ping statistics ---8 packets transmitted, 0 packets received, 100% packet loss
As an add on piece of help for solving this issue, I am surprised the loopback is not advertised dynamically. Maybe it works differently on the SRX because of the VRs.
So, I have lo0 configured and it is in "inet.0" routing table. It also has a NET address for ISIS associated.
It is also configured under ISIS, as per below:
set protocols isis interface lo0.0
So, why do I not see this route in any other routing table and nor do I see this lo0 address anywhere eslse on the network? I can see all other loopback addresses from other systems except this one.
I have tried every scenario to get a route back to this interface but it constantly comes up with a default of 0.0.0.0/0 in every routing table except inet.0
After much trial and error, I have finally got this working.
I could always get the route into the VR for the lo0 interface (inet.0 rib into the VR rib), but the issue I was having was getting the RADIUS route into the inet.0 rib. This is the configuration I used to solve the issue:
test-radius routing-instance contains the interface connected to the radius server.
How to get the route from the inet.0 rib to the test-radius rib:
set routing-options interface-routes rib-group inet lo0-VR
set routing-options rib-groups lo0-VR import-rib inet.0set routing-options rib-groups lo0-VR import-rib test-radius.inet.0
How to get the radius server route from test-radius rib to inet.0
set routing-instances test-radius routing-options interface-routes rib-group inet lo0-VR
I have tested and this configuration works perfectly. I can now authenticate for device logon via the RADIUS.