SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series.

Radius authentication issue on SRX

  • 1.  Radius authentication issue on SRX

    Posted 07-22-2022 05:45
    Edited by Michael Pappas 07-22-2022 09:24
    Hi everyone,

    I have an issue where I am trying to authenticate an SRX cluster with DUO.

    Authentication with other vendors works flawlessly, I have labbed this process using a vSRX and got it working. but when I tried to implement this in a production environment it doesn't work, the only difference between the lab and prod is the presence of routing-instance which was factored into the prod config.

    The SRX lab configuration is as follows:
    set system login user ro uid 2000
    set system login user ro class read-only
    set system login user su uid 2001
    set system login user su class super-user

    set system authentication-order radius
    set system authentication-order password
    set system radius-server 10.44.110.1 port 1812
    set system radius-server 10.44.110.1 secret "ABC"
    set system radius-server 10.44.110.1 source-address 10.44.110.252

    The SRX Prod configuration is as follows:
    set system login user ro uid 2000
    set system login user ro class read-only
    set system login user su uid 2001
    set system login user su class super-user

    set system authentication-order radius
    set system authentication-order password
    set system radius-server 10.10.1.112 routing-instance PROD
    set system radius-server 10.10.1.112 port 1812
    set system radius-server 10.10.1.112 secret "ABC"
    set system radius-server 10.10.1.112 source-address 10.10.1.1


    There is full connectivity between the SRX and the proxy server and AD as the SRX interface used for Authentication is on the subnet as the Proxy  & AD.

    root@SRX01> ping 10.10.1.112 routing-instance PROD
    PING 10.10.1.112 (10.10.1.112): 56 data bytes
    64 bytes from 10.10.1.112: icmp_seq=0 ttl=64 time=0.532 ms
    64 bytes from 10.10.1.112: icmp_seq=1 ttl=64 time=5.492 ms
    64 bytes from 10.10.1.112: icmp_seq=2 ttl=64 time=0.509 ms
    64 bytes from 10.10.1.112: icmp_seq=3 ttl=64 time=0.461 ms
    64 bytes from 10.10.1.112: icmp_seq=4 ttl=64 time=0.506 ms

    I see no entry in the proxy server log for the SRX. when looking at the logs on the SRX I see the following lines

    Jul 21 19:34:09 SRX01 sshd[7501]: Connection reset by authenticating user pparker 10.20.8.3 port 60103
    Jul 21 19:34:09 SRX01 sshd[7500]: Connection reset by authenticating user pparker 10.20.8.3 port 60103 [preauth]
    Jul 21 19:34:13 SRX01 sshd: sendmsg to 10.10.1.112(10.10.1.112).1812 failed: Can't assign requested address
    Jul 21 19:34:13 SRX01 sshd: PAM_RADIUS_SEND_REQ_FAIL: Sending radius request failed with error (Tried all servers unsucessfully).

    Tried with MSCHAP-V2 and without (PAP) without any difference in the results.

    The NPS servers VSA (lab and Prod) are configured exactly the same
    VSA 2636
    attribute:
    String: su

    I also have a QFX configured exactly the same way and this sends me a push notification, but the switch returns an access-denied message, while the Proxy confirms it sent an access-accept but that is for another post.

    I followed this Juniper KB article to help in troubleshooting but the file doesn't return in data.

    Since the same configuration works in the lab environment, and only the Juniper devices are having issues authenticating in the production environment on all the Juniper kit with a variation of failures (Cisco/Checkpoint are fine) I am thinking this is a JUNOS problem

    Any insight or experience on how resolve this would be greatly appreciated.

    Firmware Version 19.4R2.6