Howdy - yes- the IVE and MS Radius (IAS) do work well together. The first step is to get Radius working properly under IAS. For Radius troubleshooting and setup at my customer sites I carry around a tool on my laptop called Radutils - http://www.radutils.com/ - It is not freeware but it just establishes Radius sessions and lets you test.

As you are not even getting to the ports do the following: Bring up IAS through the Admin Tools menu.

If you right click on THE IAS Service you will have TWO tabs where you can enable additional logging (quite helpful) and setup your ports that will be used. This is where you can validate that the box is indeed using 1812 or 1813. It does sound like the server may have been configured with different ports.

You also always keep an eye on the Windows Event log. This is very helpful in allowing you to see if the remote requester is even talking to the box, and then when it is what happens to the authentication request.

As you said you can't even see the ports I won't talk about the rest of the IAS setup for now. Feel free to post more questions and I can give you more information if you need it! You will need to setup a Radius client for each remote request machine, and a Remote Access Policy.

hi kevin, thanks a lot for your support!

i've already configured the service to log rejected and accepted authentication-requests, and i've also ensured that the ports tab shows 1812 for auth and 1813 for accounting. the windows eventlog shows only the following message:

"A RADIUS message was received from the invalid RADIUS client IP address xxx.xxx.xxx.xxx".

i can exclude the possibility that its listening on different ports. only the following ones are opened on this machine:

80/tcp
135/tcp
139/tcp
445/tcp
1043/tcp
2000/tcp
3389/tcp

windows firewall is disabled, no other firewall running.

does routing and RAS service has to be started? does it have something to do with it?

when i netstat the IAS i can see for example:

UDP IAS-Server:1812 *:*

UDP IAS-Server:1813 *:*

but from another machine (without firewalls in between) i dont see it as open. i'm not sure if its listening or not but i dont think so.

thanks again!

Ok - the message you are receiving is because you have not defined the remote requestor in IAS. Go to Admin - IAS - Radius clients - setup an entry for the requestor there. IP address, shared secret - This is the first thing you must do to get connectivity between the remote Radius requestor and the IAS box. This will eliminate the error message you got about invalid client. You will also need to define a Remote Access Policy.

Hi Kevin,

I alreay setup a RADIUS-client with the following config:

Friendly Name: SSL VPN

Address: Tried IP and DNS-Name here

Client-Vendor: RADIUS Standard

"Request must contain..." -> Unchecked

shared secret added

So that one already exists. I've also defined a Policy but there are so much options (NAS-Identifier) where i have no clue which one to chose. I tried different combinations for the rule (eg: VPN, ethernet, then different NAS-Identifier, but i dont really get what IAS wants/needs to accept a connection by SSL VPN gateways.

i tried with multiple combinations of rulesets and get always the same message at the eventlog.

thanks in advance

I also had this issue and was badly stuck for several days. I was using dynamic vpn connecting to an SRX240. After calls to JTAC I finally got a hold of a guy there who sent me a step-by-step config for using Windows IAS as your RADIUS server. Once I took that and followed it, bam everything started working. I'm attaching it here for you to look at. It really should be available for all but apparently this was from a customer and not a Juniper approved doc but who cares? It works. Take a look and hope it helps.

The document that was posted is very helpful for the specifics of the authorization policy setup. However the invalid client message that you posted is one that IAS returns when the 1st level communication between the IVE and IAS fails. If you had an incorrect shared password you would get a different message.

If your port was wrong you would not see anything in the event log as the request would never reach the server. You would see a bad packet error of some time on the sender machine but the IAS server would have no record of the request at all.

RAS / routing does NOT need to be enabled. Did you try using another tool or device against the IAS server to just verify basic Radius functionality. The tool I mentioned yesterday works really well.

I followed the steps from the PDF, but not the step that says: "Under a VPN user account, set..." because I dont want to authenticate against LDAP / AD. Theres another software (SMS Passcode) on that RADIUS server installed and it holds its own userdatabase and passwords for the users. those users should be uses to authenticate. i also want to use the NetworkConnect IP Pool and dont want to assign static IP addresses. all the other steps were followed as documented.

now my problem is - i have no clue how to tell IAS, that it should use this local userdatabase, not LDAP or sth else. the documentation of SMS Passcode is really weak and we dont get any further support, seems to be "our problem".

well, back to topic...i was able to see that 1812 is listening (at the logs), as it should be (but why dont I see the open port when i run nmap from another machine?). so as you said before, that should be fine, otherwise i wouldnt see the logfile-entry - check.

i think it has sth to do with the policy...as mentioned before - I followed the steps of the PDF, but i dont know which policy-conditions to choose. i tried Client-IP-Adress equals "*" (as wildcard) and "grant remote access" but that doenst help. I always see the same errors at the eventlog.

some questions for clarification:

-at the IVE-Config: do i have to check: "Users authenticate using tokens or one-time passwords"?

-at the IVE-Config: do i have to add a "NAS-IP-Address"? (what is it about?)

-at the IVE-Config: do i have to add "Custom Radius Auth Rules"?

jepp i tried the tool you mentioned and got this:

--------------------22.03.2010 10:04:11 Test started  [AcctTest(Start Alive Stop)]------------------------- Error: no response from server for ID 165 socket 1920 Sending Access-Request of id 165 to 10.10.2.10 port 1812     User-Name = "test1"     Acct-Status-Type = Start     Acct-Session-Id = "0001" Sending Access-Request of id 165 to 10.10.2.10 port 1812     User-Name = "test1"     Acct-Status-Type = Start     Acct-Session-Id = "0001" Sending Access-Request of id 165 to 10.10.2.10 port 1812     User-Name = "test1"     Acct-Status-Type = Start     Acct-Session-Id = "0001" Sending Access-Request of id 60 to 10.10.2.10 port 1812     User-Name = "test1"     Acct-Status-Type = Interim-Update     Error: no response from server for ID 60 socket 1920 Acct-Session-Id = "0001" Sending Access-Request of id 60 to 10.10.2.10 port 1812     User-Name = "test1"     Acct-Status-Type = Interim-Update     Acct-Session-Id = "0001" Sending Access-Request of id 60 to 10.10.2.10 port 1812     User-Name = "test1"     Acct-Status-Type = Interim-Update     Acct-Session-Id = "0001" Sending Access-Request of id 182 to 10.10.2.10 port 1812     User-Name = "test1"     Acct-Status-Type = Stop     Acct-Session-Id = "0001" Sending Access-Request of id 182 to 10.10.2.10 port 1812     User-Name = "test1" Error: no response from server for ID 182 socket 1920     Acct-Status-Type = Stop     Acct-Session-Id = "0001" Sending Access-Request of id 182 to 10.10.2.10 port 1812     User-Name = "test1"     Acct-Status-Type = Stop     Acct-Session-Id = "0001"         Total approved auths:  0          Total denied auths:  0            Total lost auths:  3            Total time(secs):  27 --------------------22.03.2010 10:04:38 Test finished [AcctTest(Start Alive Stop)]-------------------------

thanks for your time&support muttbarker and thanks for the PDF Drozymandias

• Do you have proper radius secret on IVE and IAS set?
• What about using sniffers like Network Monitor in IAS to check if Radius Packets arrive there?
• Do you have an eye on IAS Server System Eventlog? Very helpfull for Radius Errors
• Have you configured RAS Policies on IAS?
• Insert Attribute "Ignore User Dial-in Properties - true" on Advanced Tab on Profile so that ias ras policy can take control
• Insert some RAS Policy like "Windows Groups" / "Domain Users" for first tests
• Do you have realm role mapping rule configured properly? You can also use "Username" is "*" for first tests
• is the client correctly configured on IAS radius client part?
• restart IAS service each time you modify the config
• Does your Server Windows Firewall block UDP1812 (or UDP1645)
• Do you have an eye on IVE user access log?
• Use IVE tcpdump to watch radius returning packets from IAS (can read them unencrypted, only password is encrypted)
• use policytrace on IVE for troubleshooting

I find configuration of IVE and IAS for Radius Support dead easy, done in a snatch.

Try to understand how this two work together, and troubleshoot step by step the whole line till you got it.

It should also work with local SAM Users if IAS is not in a AD Domain.

But i never tried this out, i allways authenticate users from Active Directory via IAS.

http://technet.microsoft.com/en-us/library/cc773343(WS.10).aspx#w2k3tr_ias_how_qmlj