Routing

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Testing new radius server.

    Posted 08-10-2021 15:09
    Trying to test new radius server in a remote data center. Vendor is reporting that they are not seeing the radius packets being received. They can see ICMP and Telnet packets from the source IP of XXX.XXX.XXX.254.

    Using the following commands to test.
    test aaa ppp profile AccessProfile_TestRadius user user password password - No packets received by Vendor
    test access radius-server XXX.XXX.XXX.149 source-address XXX.XXX.XXX.254 authentication-port 1645 secret secret retry 2 timeout 2 user user password password - No packets received by Vendor

    show configuration access
    radius-server {
    XXX.XXX.XXX.233 {
    port 1645;
    accounting-port 1646;
    secret "$9$KUS8-wHkPFnCP5"; ## SECRET-DATA
    timeout 90;
    source-address XXX.XXX.XXX.254;
    }
    XXX.XXX.XXX.9 {
    port 1645;
    accounting-port 1646;
    secret "$9$KUS8-wHkPFnCP5"; ## SECRET-DATA
    source-address XXX.XXX.XXX.254;
    }
    XXX.XXX.XXX.149 {
    port 1645;
    accounting-port 1646;
    secret "$9$pvxIBclbwgGDkvWL7-Voan/CAu1"; ## SECRET-DATA
    timeout 90;
    source-address XXX.XXX.XXX.254;
    }
    }
    profile AccessProfile_general {
    authentication-order radius;
    radius {
    authentication-server [ XXX.XXX.XXX.233 XXX.XXX.XXX.9 ];
    accounting-server [ XXX.XXX.XXX.233 XXX.XXX.XXX.9 ];
    }
    accounting {
    order radius;
    accounting-stop-on-failure;
    accounting-stop-on-access-deny;
    immediate-update;
    update-interval 10;
    statistics time;
    }
    }
    profile AccessProfile_TestRadius {
    authentication-order radius;
    radius {
    authentication-server XXX.XXX.XXX.149;
    accounting-server XXX.XXX.XXX.149;
    }
    accounting {
    order radius;
    accounting-stop-on-failure;
    accounting-stop-on-access-deny;
    immediate-update;
    update-interval 10;
    statistics time;
    }
    }

    Any assistance would greatly be appreciated.


  • 2.  RE: Testing new radius server.

     
    Posted 08-11-2021 05:23
    Hi,

    can you please:

    - use show network-access aaa radius-servers | Broadband Subscriber Sessions User Guide | Juniper Networks TechLibrary to check what the JUNOS radius client subsystem is doing?

    - use monitor traffic | Network Management and Monitoring Guide | Juniper Networks TechLibrary to check if packets are actually leaving the JUNOS device?

    Also I've experienced that when the shared secrets won't match or the source IP JUNOS uses is not added in the radius server as a "client" request although arriving are so silently dropped that one or the other observation would claim "no packets received". So worth double-checcking.

    Regards

    Ulf


  • 3.  RE: Testing new radius server.

     
    Posted 08-11-2021 05:42
    Are you using a protect-re filter on the loopback interface that might need to be expanded to allow this traffic?

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 4.  RE: Testing new radius server.

    Posted 08-16-2021 05:30
    You could generate traffic towards the RADIUS server directly from the network device for testing purposes:
    test access radius-server <IP> user <USER> password <OASS> secret <SECRET>​

    If no traffic is getting out, it would be good if you make sure if the local device has a route towards the RADIUS server and/or trace the networking path towards it.

    Elvin