I have configured the Juniper devices as I expect them to ne configured for RADIUS authentication. Here is the configuration:
set system radius-server 192.168.10.1 secret "$9$SHyyMXVb2aGiYgi.fzCAIEcyvWX7-w24"set system radius-server 192.168.10.1 source-address 220.127.116.11
set system login user remote full-name "RADIUS Authenticated"set system login user remote uid 9999set system login user remote class read-only
set system login user OP uid 2007set system login user OP class operator
set system login user RO uid 2008set system login user RO class read-onlyset system login user SU uid 2009set system login user SU class super-user
As far as I can make out from the documentation, this is all that should be required. However, I seem to be failing to get any authorisaiton whasoever from the RADIUS. So, my question is as follows:
Is the above configuration good? If it is then it is the free RADIUS that needs tweaking.... Just want to check if the config is correct.
You need to define authentication-order as well..
labroot@jtac-mx80-r2003# set system authentication-order ?Possible completions: [ Open a set of values password Traditional password authentication radius Remote Authentication Dial-In User Service tacplus TACACS+ authentication services
Thought there was something I had missed.
I'm still having an issue with a couple of the systems but I think this is because of the RADIUS configuration for the NAS.
Working on everything except the SRX.
Really weird, I've configured it exactly the same, I've ensured the routing-instance can ping the server and I have also ensured the routes are all there.
It does not even register that it has contacted the radius server and after the first login prompt failure (it does not say Denied Access). It just goes to second prompt which is local authentication.
Anything I'm missing for an SRX?
Is anything required to be enabled on the SRX for AAA to actually function?
When I clearred the RADIUS logs and then logged off and back on again, they were empty.
Let's try once more with an overall view of the SRX:
RADIUS connected to: testing-radius Routing-instance
Source address: Interface in Customer-VR Routing-instance
Routing is fine between the Customer VR and the testing-radius VR
The Core is also connected to the Customer-VR and that authenticates against RADIUS fine.
Policies allow 1812 through (if they didn't then the Core would also fail).
Configuration is exactly as stated in EVERY piece of Juniper documentation, so all I can figure is that something may need enabling?
I've just realised. This should be in the SRX forum. I'll move the question over there.