Junos OS

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Juniper Secure Connect & Radius Authentication

This thread has been viewed 4 times
  • 1.  Juniper Secure Connect & Radius Authentication

    Posted 06-28-2022 13:49
    We are trying to get Radius authentication to work with a client's Juniper Secure Connect setup on an SRX 320, but we are running into repeated authentication issues.

    When I monitor the traffic on the interface facing the Radius server during these authentication attempts, I'm seeing the following:

    1) The Juniper sends an authentication request to the Radius server

    11:06:49.683847 Out IP (tos 0x0, ttl 64, id 13260, offset 0, flags [none], proto: UDP (17), length: 93) 192.168.1.1.56377 > <Radius Server IP>.radius: RADIUS, length: 65
    Access Request (1), id: 0x6c, Authenticator: <removed>
    Username Attribute (1), length: 7, Value: userName
    Password Attribute (2), length: 18, Value:
    NAS ID Attribute (32), length: 14, Value: <Router Host Name>
    NAS Port Type Attribute (61), length: 6, Value: Ethernet

    2) The Radius server replies with an Access Accept. (The Reply Attribute returned is 'User bypassed' as the client is currently bypassing multi-factor authentication for this user specifically.)

    11:06:50.455297 In IP (tos 0x0, ttl 128, id 4540, offset 0, flags [none], proto: UDP (17), length: 64) <Radius Server IP>.radius > 192.168.1.1.56377: RADIUS, length: 36
    Access Accept (2), id: 0x6c, Authenticator: <removed>
    Reply Attribute (18), length: 16, Value: User bypassed.

    3) Instead of accepting the Access Accept response and letting the VPN user online, the Juniper resends the authentication request to the Radius server once more.

    11:06:51.355884 Out IP (tos 0x0, ttl 64, id 13323, offset 0, flags [none], proto: UDP (17), length: 93) 192.168.1.1.56377 > <Radius Server IP>.radius: RADIUS, length: 65
    Access Request (1), id: 0x6d, Authenticator: <removed>
    Username Attribute (1), length: 7, Value: userName
    Password Attribute (2), length: 18, Value:
    NAS ID Attribute (32), length: 14, Value: <Router Host Name>
    NAS Port Type Attribute (61), length: 6, Value: Ethernet

    4) Upon receiving this additional response, the Radius server responds with an Access Reject, with the Reply Attribute of " Response was just sent to you. Please wait 3 seconds and try again."

    11:06:51.380116 In IP (tos 0x0, ttl 128, id 4541, offset 0, flags [none], proto: UDP (17), length: 117) <Radius Server IP>.radius > 192.168.1.1.56377: RADIUS, length: 89
    Access Reject (3), id: 0x6d, Authenticator: <removed>
    Reply Attribute (18), length: 69, Value: Response was just sent to you. Please wait 3 seconds and try again.

    5) At this point, the conversation between the Juniper and the Radius server ceases, and the Juniper Secure Connect application returns the following error:

    PAP/CHAP error. Wrong User ID or password (VPN).

    Using this same configuration with an offsite Radius server (different type - very basic), I am able to get this to work without issue. But what I'm seeing when trying to incorporate the client's Radius server is bothering me. Why is the Juniper ignoring the first Access-Accept, and then resending the authentication request?

    Logically, I'd expect it to let the VPN user online as soon as it receives an Access Accept from the Radius server.

    ------------------------------
    SERVICE OPERATIONS SUPPORT
    ------------------------------