[j-nsp] SSH access with Radius auth issue

Matt Freitag mlfreita at mtu.edu
Fri Feb 16 13:14:06 EST 2018


 My only pointer is make sure your RADIUS server is returning the correct
VSA.

Based on your config it should be RADIUS:Juniper:Juniper-Local-Username =
remote

Also there are typically things that show up in the messages log about
login issues looking in there may be useful to you.

Matt Freitag
Network Engineer
Information Technology
Michigan Technological University
(906) 487-3696 <%28906%29%20487-3696>
https://www.mtu.edu/
https://www.mtu.edu/it

On Fri, Feb 16, 2018 at 11:44 AM, Chris Boyd <cboyd at gizmopartners.com>
wrote:

> Starting to tear my hair out over this one.
>
> Recently wiped and upgraded an EX4200 to 15.1R6.7.  Dropped in my standard
> Radius config that’s working on all my other devices. Users that are
> locally configured on the 4200 can log in normally, but SSH sessions that
> are Radius authenticated get the session closed immediately upon supplying
> the correct password. Giving the wrong password gets you another password
> prompt. Google keeps taking me to pages talking about BRAS/Dialup sorts of
> issues.
>
> Here’s what’s working on all the other switches and routers, but not on
> the newly upgraded switch:
>
> system {
>     radius-server {
>         10.a.b.c {
>             secret "$9$shh_don't_tell_anyone"; ## SECRET-DATA
>             source-address 10.p.q.r;
>         }
>         10.x.y.z {
>             secret "$9$shh_don't_tell_anyone"; ## SECRET-DATA
>             source-address 10.p.q.r;
>         }
>     }
>     radius-options {
>         password-protocol mschap-v2;
>
> The Radius servers are reachable by the source address.
>
> After re-reading the Radius configuration pages, I added this to the
> config, with no effect.  Behavior is the same.
>
> groups {
>     global {
>         system {
>             login {
>                 user remote {
>                     class super-user;
>                 }
>             }
>         }
>     }
> }
>
> Pointers and cluebats appreciated.
>
> —Chris
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list