SRX

 View Only
last person joined: 15 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

RADIUS Not Authenticating

  • 1.  RADIUS Not Authenticating

     
    Posted 07-04-2018 00:59

    Hi,

     

    I am trying to get RADIUS centralised administration working on the SRX1500s we have and it just will not work.

     

    Set up:

    RADIUS (radius VR) --- SRX --- Customer VR ---- Core router

     

    So, the Core router authenticates fine with no issues.

    It uses the same route to get to the RADIUS that the SRX uses. I am useing the Customer-VR interface as the source address and the correct shared password. All the routing is fine or the Core would not work.

     

    Here is my configuration on the SRX:

    set system authentication-order radius
    set system authentication-order password

    set system radius-server 192.168.100.1 secret "$9$-Gd2aji.5z6qm6Au1yrLxNdYgaZUH.P"
    set system radius-server 192.168.100.1 retry 3
    set system radius-server 192.168.100.1 source-address 192.168.200.1

    set system login user remote full-name "RADIUS Authenticated"
    set system login user remote uid 9999
    set system login user remote class read-only

    set system login user RO uid 2008
    set system login user RO class read-only
    set system login user SU uid 2009
    set system login user SU class super-user

    set system login user OP uid 2007
    set system login user OP class operator

     

    The RADIUS has been configured correctly too or I would not be able to logon to other systems using it.

     

    When I run a traceoptions tthe file is empty, so it is almost like the SRX is not even attempting to contact the RADIUS Server.

     

    There must be something on the SRX that needs enabling for this to work. Could someone help please.

     

    Thanks



  • 2.  RE: RADIUS Not Authenticating

     
    Posted 07-04-2018 01:07


  • 3.  RE: RADIUS Not Authenticating

     
    Posted 07-04-2018 01:26

    Hi Rahul,

     

    Absolutely no luck at all.

     

    The radius log is empty.

     

    As I mentioned, it is like the SRX is not even sending any requests to the RADIUS server. The core is connected to AE1 and that is the source address I am using for the SRX. So, if the core works then the SRX should. Routing is okay, ping and traceroute is fine.

     

     

     

     



  • 4.  RE: RADIUS Not Authenticating

     
    Posted 07-04-2018 01:42

    Can you try connecting via default routing instance instead of custom VR? This will help to isolate if its a limitation with VRs



  • 5.  RE: RADIUS Not Authenticating

     
    Posted 07-04-2018 01:44
    Also do you have route for 192.168.100.1 on your default routing-instnace?
    Can you share >show route 192.168.100.1 ?


  • 6.  RE: RADIUS Not Authenticating

     
    Posted 07-04-2018 01:49

    Hi Suraj,

     

    I used the loopback interface but I get the same result. It is like it is not even checking the RADIUS.

     

    I don't have an inet.0 routing table as we are using all VRs. So, the default route will show as "No route to host"... maybe this is an issue.... but it should work through the VRs.

     

    If I just run a "show route 192.168.100.1" command without choosing a VR I actually get the correct routes via the correct VRs as shown:

    Clive@THW-SRX-01# run show route 192.168.100.1

    Customer-VR.inet.0: 50 destinations, 50 routes (50 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    192.168.100.0/30 *[IS-IS/15] 5w6d 18:12:16, metric 20
    > to 192.168.100.48 via lt-0/0/0.2

     

    ninegroup-radius.inet.0: 44 destinations, 44 routes (44 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    192.168.100.0/30 *[Direct/0] 5w6d 18:12:17
    > via ge-0/0/2.0

     

     

     

    Thanks



  • 7.  RE: RADIUS Not Authenticating

     
    Posted 07-04-2018 02:12
    These requests are generated from inet 0, so you must have an interface on inet. Please create a loopback interface on inet 0 and then try.

    Additional to your exiting config try adding below config.

    #set interface lo0.1(or any unit which is not used ) family inet address – any address
    #set routing-options static route 192.168.100.1 next-table Customer-VR
    #commit


  • 8.  RE: RADIUS Not Authenticating

     
    Posted 07-04-2018 02:23

    This is not possible on an SRX1500.

     

    I have lo0 unit 0 already configured and have tried this as the routes exist in the routing tables.

     

    The problem with configuring an SRX with more than 1 loopback interface is that you have to configure that said interface under a VR first or it does not accept the configuration, as shown below:

     

    [edit interfaces lo0]
    'unit 1'
    if_instance: Multiple loopback interfaces not permitted in master routing instance
    error: configuration check-out failed

     

    So, I have already tried with loopback 0 and I get the same result. Absolutely nothing.



  • 9.  RE: RADIUS Not Authenticating

     
    Posted 07-04-2018 02:50
    Ok, when you have lo0.0 part of inet0, you don’t need any additional interface. Do you have the static route pointing to VR?


  • 10.  RE: RADIUS Not Authenticating

     
    Posted 07-04-2018 03:05

    Okay Suraj. We are getting there now.

     

    There is no route back to the lo0 interface. However, when installing the route into the routing table I still get the following on the radius-VR:

     

    set routing-options static route 192.168.100.1/32 next-table Customer-VR.inet.0

     

    ninegroup-radius.inet.0: 44 destinations, 44 routes (44 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    0.0.0.0/0 *[IS-IS/160] 4d 19:20:17, metric 20
    > to 192.168.200.49 via lt-0/0/0.1

     

    Then this route obviously goes nowehere.... on purpose. 



  • 11.  RE: RADIUS Not Authenticating
    Best Answer

     
    Posted 07-04-2018 03:16
    Try adding below config, this is to get the lo0 route on the custom VR.

    set routing-options interface-routes rib-group inet lo0-VR
    set routing-options rib-groups lo0-VR import-rib inet.0
    set routing-options rib-groups lo0-VR import-rib Customer-VR.inet.0
    commit

    Please make sure you change the VR name accoridngly – I am not sure “Customer-VR” is the correct VR name.


  • 12.  RE: RADIUS Not Authenticating

     
    Posted 07-04-2018 03:46

    Sorry. Did not work.

     

    I can choose any of the VRs and it will put the route into that particular VR but it places it in as a direct route to lo0. This won't work, I don't think, as we use VRs and Logical Tunnel between the VRs. I cannot ping the loopback from the VR I have placed the route in. That could be because all the policies that are in place do not reference inet.0.

     

    Here's the output:

    ninegroup-radius.inet.0: 45 destinations, 45 routes (45 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    192.168.50.1/32 *[Direct/0] 00:00:03
    > via lo0.0

     

    And the ping result:

    Clive@THW-SRX-01# run ping 195.80.0.3 routing-instance ninegroup-radius
    PING 192.168.50.1 (192.168.50.1): 56 data bytes
    ^C
    --- 192.168.50.1 ping statistics ---
    8 packets transmitted, 0 packets received, 100% packet loss



  • 13.  RE: RADIUS Not Authenticating

     
    Posted 07-04-2018 09:31

    As an add on piece of help for solving this issue, I am surprised the loopback is not advertised dynamically. Maybe it works differently on the SRX because of the VRs.

     

    So, I have lo0 configured and it is in "inet.0" routing table. It also has a NET address for ISIS associated.

     

    It is also configured under ISIS, as per below:

    set protocols isis interface lo0.0

     

    So, why do I not see this route in any other routing table and nor do I see this lo0 address anywhere eslse on the network? I can see all other loopback addresses from other systems except this one.

     

    I have tried every scenario to get a route back to this interface but it constantly comes up with a default of 0.0.0.0/0 in every routing table except inet.0

     



  • 14.  RE: RADIUS Not Authenticating

     
    Posted 07-05-2018 02:31

    After much trial and error, I have finally got this working.

     

    I could always get the route into the VR for the lo0 interface (inet.0 rib into the VR rib), but the issue I was having was getting the RADIUS route into the inet.0 rib. This is the configuration I used to solve the issue:

     

    test-radius routing-instance contains the interface connected to the radius server.

     

    How to get the route from the inet.0 rib to the test-radius rib:

    set routing-options interface-routes rib-group inet lo0-VR

    set routing-options rib-groups lo0-VR import-rib inet.0
    set routing-options rib-groups lo0-VR import-rib test-radius.inet.0

     

    How to get the radius server route from test-radius rib to inet.0

    set routing-instances test-radius routing-options interface-routes rib-group inet lo0-VR

     

    I have tested and this configuration works perfectly. I can now authenticate for device logon via the RADIUS.