Per-user RADIUS authentication EX 4200 switch

[How to run the NSM GUI under Mac OS X]

How to run the NSM GUI under Mac OS X
How to setup a route-based VPN on a NetScreen
How to make your PPTP VPN client work through a NetScreen/SSG
Setting up a dial-up VPN and NetScreen Remote
How the Global Zone Works (It's probably not what you think)
How to configure NetScreen/SSG devices to work with the built in Mac OS X VPN client
How to Configure Dial-up VPN with route-based tunnels, XAuth, and use IPSecuritas

[F1ght3r]

Dear colleagues,

currently I sit in front of an EX 4200 switch with JunOS 10.0R2 and try to implement per-user RADIUS authentication. I adapted the config from the code example Juniper provides at http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/subscriber-access/aaa-subscriber-access-radius-authentication-accounting.html and http://www.juniper.net/techpubs/en_US/junos9.6/topics/task/configuration/radius-server-ex-series-cli.html.
 
This is my config at the moment (only the necessary parts):

access {
    radius-server {
        192.168.2.1 {
            secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
            timeout 3;
            retry 1;
            source-address 192.168.3.15; (this is the outgoing interface IP)
        }
        192.168.1.1 {
            secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
            timeout 3;
            retry 1;
            source-address 192.168.3.15; (this is the outgoing interface IP)
        }
    }
    profile profile1 {
        authentication-order radius;
        radius {
            authentication-server [ 192.168.2.1 192.168.1.1 ];
            accounting-server [ 192.168.2.1 192.168.1.1 ];
        }
        accounting {
            order radius;
            accounting-stop-on-failure;
            accounting-stop-on-access-deny;
            immediate-update;
            statistics time;
        }
    }
}
 

With this code, the EX does not try to contact the RADIUS server (of course, the server itself is reachable). In the RADIUS log messages there is no entry for an authentication try.

The Syslog shows the following output (first try SSH, second try telnet):

"Dec 13 07:52:39   sshd[1405]: Failed password for test from 192.168.3.1 port 4796 ssh2
Dec 13 07:52:43   inetd[709]: /usr/sbin/sshd[1405]: exited, status 255
Dec 13 07:53:03   login: LOGIN_PAM_AUTHENTICATION_ERROR: PAM authentication error for user test
Dec 13 07:53:03   login: LOGIN_FAILED: Login failed for user test from host 192.168.3.1"


In the JunOS Cookbook, I found an instruction to implement the following code:

system {
    radius-server {
        192.168.2.1 {
            port 1645;
            accounting-port 1646;
            secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
            timeout 3;
            retry 1;
        }
        192.168.1.1 {
            port 1645;
            accounting-port 1646;
            secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
            timeout 3;
            retry 1;
        }
    }
 

This doesn't help anyway, I can only log in with the locally configured username.

Did I forget anything? I hope someone has an idea.

Thank you!

[frogmanclay]

set the radius server under the system stanza.   Also, set the authentication-order there.  It isn't trying the radius server because you don't have it set to.  IE. set system authentication-order radius

Hope that helps,
Clay

[F1ght3r]

The authentication-order command is only available in the "access profile profile-name" stanza, I cannot configure it in the system stanza (see http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/subscriber-access/authentication-order-edit-access.html#jd0e20818).

[frogmanclay]

ok, are you trying to use radius to authenticate when you connect to the switch for management of said switch?  Or are you trying to use radius to authenticate users connecting to the switch for network access?  If the first is true, then try what I said above.  If the second is true, then the link you provided is true.

Hope that helps,
Clay

[F1ght3r]

Hi Clay,
now it works. The problem was that I didn't create the local user ID "remote" so I couldn't log in even though the user was sucessfully authenticated by the RADIUS server.

Thank you very much for you help!
Daniel

[F1ght3r]

Oh yes, there's still one question: I want to set that the RADIUS user is only asked for when connecting through telnet or SSH, but not over the console line. Here the switch should only accept the locally configured user.

Any idea how to solve this?

•      Forum/Home
•      Store
•      Articles
•        Tech Articles
•        Industry News
•        Site News
•      Knowledgebase
•        JUNOS/Routing
•        NS/ISG/SSG/NSM
•        SSL VPN
•      Downloads

Please consider donating if we've saved you time or money. It helps pay for the bandwidth, equipment, and hosting charges to keep this site running

Submit Article/KB - Do not submit questions here.

[Today]

• Netscreen 5xp by timeshadowrider [Today at 11:51:22 AM]
• UAC, PXE and SMS with Ody... by Snok [Today at 10:38:28 AM]
• RDP, Web, etc Quit Workin... by darkonex [Today at 09:27:17 AM]
• Multicast routing enigma.... by Di4bLo [Today at 09:26:57 AM]
• integration of juniper fi... by everyourskishore [Today at 07:16:57 AM]
• Switching and forwarding ... by rafibd71 [Today at 01:46:52 AM]
• SRX LDAP server function ... by littlething [Yesterday at 11:43:13 PM]
• Branch office VPN to Lan ... by holdenga [Yesterday at 11:29:04 PM]
• Netscreen-10 and 5GT peer... by lil_tud [Yesterday at 08:19:51 PM]
• 2 ISP's and routing by DubBhoy [Yesterday at 10:13:39 AM]

Members

• Total Members: 20486
• Latest: Snok

Stats

• Total Posts: 38002
• Total Topics: 9817
• Online Today: 65
• Online Ever: 393
• (August 06, 2008, 07:40:57 AM)

Users Online

Users: 2
Guests: 44
Total: 46

timeshadowrider
wjens