Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  Juniper Secure Connect & Radius Authentication for VPN

    Posted 07-14-2022 06:20
    We are trying to get Radius authentication to work with a client's Juniper Secure Connect setup on an SRX 320, but we are running into repeated authentication issues.

    When I monitor the traffic on the interface facing the Radius server during these authentication attempts, I'm seeing the following:

    1) The Juniper sends an authentication request to the Radius server

    11:06:49.683847 Out IP (tos 0x0, ttl 64, id 13260, offset 0, flags [none], proto: UDP (17), length: 93) 192.168.1.1.56377 > <Radius Server IP>.radius: RADIUS, length: 65
    Access Request (1), id: 0x6c, Authenticator: <removed>
    Username Attribute (1), length: 7, Value: userName
    Password Attribute (2), length: 18, Value:
    NAS ID Attribute (32), length: 14, Value: <Router Host Name>
    NAS Port Type Attribute (61), length: 6, Value: Ethernet

    2) The Radius server replies with an Access Accept. (The Reply Attribute returned is 'User bypassed' as the client is currently bypassing multi-factor authentication for this user specifically.)

    11:06:50.455297 In IP (tos 0x0, ttl 128, id 4540, offset 0, flags [none], proto: UDP (17), length: 64) <Radius Server IP>.radius > 192.168.1.1.56377: RADIUS, length: 36
    Access Accept (2), id: 0x6c, Authenticator: <removed>
    Reply Attribute (18), length: 16, Value: User bypassed.

    3) Instead of accepting the Access Accept response and letting the VPN user online, the Juniper resends the authentication request to the Radius server once more.

    11:06:51.355884 Out IP (tos 0x0, ttl 64, id 13323, offset 0, flags [none], proto: UDP (17), length: 93) 192.168.1.1.56377 > <Radius Server IP>.radius: RADIUS, length: 65
    Access Request (1), id: 0x6d, Authenticator: <removed>
    Username Attribute (1), length: 7, Value: userName
    Password Attribute (2), length: 18, Value:
    NAS ID Attribute (32), length: 14, Value: <Router Host Name>
    NAS Port Type Attribute (61), length: 6, Value: Ethernet

    4) Upon receiving this additional response, the Radius server responds with an Access Reject, with the Reply Attribute of " Response was just sent to you. Please wait 3 seconds and try again."

    11:06:51.380116 In IP (tos 0x0, ttl 128, id 4541, offset 0, flags [none], proto: UDP (17), length: 117) <Radius Server IP>.radius > 192.168.1.1.56377: RADIUS, length: 89
    Access Reject (3), id: 0x6d, Authenticator: <removed>
    Reply Attribute (18), length: 69, Value: Response was just sent to you. Please wait 3 seconds and try again.

    5) At this point, the conversation between the Juniper and the Radius server ceases, and the Juniper Secure Connect application returns the following error:

    PAP/CHAP error. Wrong User ID or password (VPN).

    Using this same configuration with an offsite Radius server (different type - very basic), I am able to get this to work without issue. But what I'm seeing when trying to incorporate the client's Radius server is bothering me. Why is the Juniper ignoring the first Access-Accept, and then resending the authentication request?

    Logically, I'd expect it to let the VPN user online as soon as it receives an Access Accept from the Radius server.
    Any assistance or tips would be greatly appreciated.


    ------------------------------
    Chris Durand
    ------------------------------


  • 2.  RE: Juniper Secure Connect & Radius Authentication for VPN

    Posted 08-11-2022 10:56
    Edited by emeiler 08-11-2022 10:56
    Hi Chris,

    did you managed this problem?

    If you please share how you hve configured.

    Best Regards

    Eduard

    ------------------------------
    Eduard Meiler
    ------------------------------