Hi everyone,
I have an issue where I am trying to authenticate an SRX cluster with DUO.
Authentication with other vendors works flawlessly, I have labbed this process using a vSRX and got it working. but when I tried to implement this in a production environment it doesn't work, the only difference between the lab and prod is the presence of routing-instance which was factored into the prod config.
The SRX lab configuration is as follows:set system login user ro uid 2000set system login user ro class read-onlyset system login user su uid 2001set system login user su class super-userset system authentication-order radiusset system authentication-order passwordset system radius-server 10.44.110.1 port 1812set system radius-server 10.44.110.1 secret "ABC"set system radius-server 10.44.110.1 source-address 10.44.110.252The SRX Prod configuration is as follows:set system login user ro uid 2000set system login user ro class read-onlyset system login user su uid 2001set system login user su class super-userset system authentication-order radiusset system authentication-order passwordset system radius-server 10.10.1.112 routing-instance PRODset system radius-server 10.10.1.112 port 1812set system radius-server 10.10.1.112 secret "ABC"set system radius-server 10.10.1.112 source-address 10.10.1.1There is full connectivity between the SRX and the proxy server and AD as the SRX interface used for Authentication is on the subnet as the Proxy & AD.
root@SRX01> ping 10.10.1.112 routing-instance PROD
PING 10.10.1.112 (10.10.1.112): 56 data bytes
64 bytes from 10.10.1.112: icmp_seq=0 ttl=64 time=0.532 ms
64 bytes from 10.10.1.112: icmp_seq=1 ttl=64 time=5.492 ms
64 bytes from 10.10.1.112: icmp_seq=2 ttl=64 time=0.509 ms
64 bytes from 10.10.1.112: icmp_seq=3 ttl=64 time=0.461 ms
64 bytes from 10.10.1.112: icmp_seq=4 ttl=64 time=0.506 ms
I see no entry in the proxy server log for the SRX. when looking at the logs on the SRX I see the following lines
Jul 21 19:34:09 SRX01 sshd[7501]: Connection reset by authenticating user pparker 10.20.8.3 port 60103Jul 21 19:34:09 SRX01 sshd[7500]: Connection reset by authenticating user pparker 10.20.8.3 port 60103 [preauth]Jul 21 19:34:13 SRX01 sshd: sendmsg to 10.10.1.112(10.10.1.112).1812 failed: Can't assign requested addressJul 21 19:34:13 SRX01 sshd: PAM_RADIUS_SEND_REQ_FAIL: Sending radius request failed with error (Tried all servers unsucessfully).Tried with MSCHAP-V2 and without (PAP) without any difference in the results.
The NPS servers VSA (lab and Prod) are configured exactly the same
VSA 2636
attribute:
String: su
I also have a QFX configured exactly the same way and this sends me a push notification, but the switch returns an access-denied message, while the Proxy confirms it sent an access-accept but that is for another post.
I followed this Juniper
KB article to help in troubleshooting but the file doesn't return in data.
Since the same configuration works in the lab environment, and only the Juniper devices are having issues authenticating in the production environment on all the Juniper kit with a variation of failures (Cisco/Checkpoint are fine) I am thinking this is a JUNOS problem
Any insight or experience on how resolve this would be greatly appreciated.
Firmware Version 19.4R2.6