Junos OS

Expand all | Collapse all

RADIUS Auhtenticaiton question

Jump to Best Answer
  • 1.  RADIUS Auhtenticaiton question

     
    Posted 07-03-2018 01:21

    Hi

     

    I have configured the Juniper devices as I expect them to ne configured for RADIUS authentication. Here is the configuration:

     

    set system radius-server 192.168.10.1 secret "$9$SHyyMXVb2aGiYgi.fzCAIEcyvWX7-w24"
    set system radius-server 192.168.10.1 source-address 195.80.0.13

    set system login user remote full-name "RADIUS Authenticated"
    set system login user remote uid 9999
    set system login user remote class read-only

    set system login user OP uid 2007
    set system login user OP class operator

    set system login user RO uid 2008
    set system login user RO class read-only
    set system login user SU uid 2009
    set system login user SU class super-user

     

    As far as I can make out from the documentation, this is all that should be required. However, I seem to be failing to get any authorisaiton whasoever from the RADIUS. So, my question is as follows:

     

    Is the above configuration good? If it is then it is the free RADIUS that needs tweaking.... Just want to check if the config is correct.

     

    Thanks



  • 2.  RE: RADIUS Auhtenticaiton question
    Best Answer

    Posted 07-03-2018 01:59

    HI!

     

    You need to define authentication-order as well..

     

    labroot@jtac-mx80-r2003# set system authentication-order ?
    Possible completions:
    [                            Open a set of values
    password              Traditional password authentication
    radius                    Remote Authentication Dial-In User Service
    tacplus                  TACACS+ authentication services



  • 3.  RE: RADIUS Auhtenticaiton question

     
    Posted 07-03-2018 02:37

    Thanks Amit

     

    Thought there was something I had missed. 

     

    I'm still having an issue with a couple of the systems but I think this is because of the RADIUS configuration for the NAS.

     

    Thanks



  • 4.  RE: RADIUS Auhtenticaiton question

    Posted 07-03-2018 04:43
    Okay, do let me know if you need any help!!

    Regards,
    Amit


  • 5.  RE: RADIUS Auhtenticaiton question

     
    Posted 07-03-2018 07:02

    Working on everything except the SRX.

     

    Really weird, I've configured it exactly the same, I've ensured the routing-instance can ping the server and I have also ensured the routes are all there.

     

    It does not even register that it has contacted the radius server and after the first login prompt failure (it does not say Denied Access). It just goes to second prompt which is local authentication.

     

    Anything I'm missing for an SRX?



  • 6.  RE: RADIUS Auhtenticaiton question

     
    Posted 07-03-2018 08:33

    Is anything required to be enabled on the SRX for AAA to actually function?

     

    When I clearred the RADIUS logs and then logged off and back on again, they were empty.

     

    Thanks



  • 7.  RE: RADIUS Auhtenticaiton question

     
    Posted 07-03-2018 09:07

    Let's try once more with an overall view of the SRX:

     

    RADIUS connected to: testing-radius Routing-instance

    Source address: Interface in Customer-VR Routing-instance

    Routing is fine between the Customer VR and the testing-radius VR

     

    The Core is also connected to the Customer-VR and that authenticates against RADIUS fine.

     

    Policies allow 1812 through (if they didn't then the Core would also fail).

     

    Configuration is exactly as stated in EVERY piece of Juniper documentation, so all I can figure is that something may need enabling?



  • 8.  RE: RADIUS Auhtenticaiton question

     
    Posted 07-04-2018 00:51

    I've just realised. This should be in the SRX forum. I'll move the question over there.