[j-nsp] SSH access with Radius auth issue

Jonathan Call lordsith49 at hotmail.com
Fri Feb 16 17:07:34 EST 2018 

I don't remember if this is in 15 code but what about authentication order?

set system authentication-order [ radius password ]

Jonathan

________________________________
From: juniper-nsp <juniper-nsp-bounces at puck.nether.net> on behalf of Chris Boyd <cboyd at gizmopartners.com>
Sent: Friday, February 16, 2018 9:44 AM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] SSH access with Radius auth issue

Starting to tear my hair out over this one.

Recently wiped and upgraded an EX4200 to 15.1R6.7.  Dropped in my standard Radius config that’s working on all my other devices. Users that are locally configured on the 4200 can log in normally, but SSH sessions that are Radius authenticated get the session closed immediately upon supplying the correct password. Giving the wrong password gets you another password prompt. Google keeps taking me to pages talking about BRAS/Dialup sorts of issues.

Here’s what’s working on all the other switches and routers, but not on the newly upgraded switch:

system {
    radius-server {
        10.a.b.c {
            secret "$9$shh_don't_tell_anyone"; ## SECRET-DATA
            source-address 10.p.q.r;
        }
        10.x.y.z {
            secret "$9$shh_don't_tell_anyone"; ## SECRET-DATA
            source-address 10.p.q.r;
        }
    }
    radius-options {
        password-protocol mschap-v2;

The Radius servers are reachable by the source address.

After re-reading the Radius configuration pages, I added this to the config, with no effect.  Behavior is the same.

groups {
    global {
        system {
            login {
                user remote {
                    class super-user;
                }
            }
        }
    }
}

Pointers and cluebats appreciated.

—Chris

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
juniper-nsp Info Page - puck.nether.net<https://puck.nether.net/mailman/listinfo/juniper-nsp>
puck.nether.net
To see the collection of prior postings to the list, visit the juniper-nsp Archives. Using juniper-nsp: To post a message to all the list members ...

More information about the juniper-nsp mailing list