cancel
Showing results for 
Search instead for 
Did you mean: 

PPS auth problems

Occasional Contributor

PPS auth problems

Hello all

 

We recently upgraded to pps 5.4R7(it's a mag6610, so it's the latest we can go) last Friday. At the begining there were no problems, but lately we see more users failing to authenticate althouth in the logs the user is accepted and all the correct attributes are returned. It maybe a coincidence that this happened after the upgrade and I need to exclude the possibility in order to look elsewhere. The only issue logged in radius is the message 

 

"Session Termination Attempt in response to Radius Disconnect Request for Auth Server 'INVALID' did not succeed, leading to a Disconnect-NAK. Reason: Invalid request."

 

There is no information I could find for this. Can anyone please give me any information regarding this message?

 

5 REPLIES 5
Moderator

Re: PPS auth problems

What switch are you using? Did you change any of the CoA configuration when you upgraded?
I would recommend opening a case with our support team for further investigation
Moderator

Re: PPS auth problems

Adding to the previous comment:  you can use the TCP DUMP feature in PPS to see what data is hitting the wire between PPS and the switch.  We'd need to know if the switch is sending back an error or if PPS is the source of the error.  After auth, you will see the RADIUS Access-Accept and then a COA message going out to the switch.  If the switch NAKs the message, we'd need to know what the reported error in the TCP DUMP shows. 

 

Additionally, you can turn on the RADIUS diagnostics in PPS and collect our logs to see if they give more information as to the reason of the failure.

 

Thanks

 

Craig Brauckmiller

Pulse Secure

Occasional Contributor

Re: PPS auth problems

The switches are juniper ex 4200 VCs. I haven't noticed the TCP DUMP funtion. I will use to trace the packets and hopefully find something more helpfull.

 

Thank you for your help.

Highlighted
Super Contributor

Re: PPS auth problems

tcp dump on the ex switches only has access to control plane traffic destined to local routing engine.

 

You would need to use a port mirror for the capture.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10878

 

Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home
Moderator

Re: PPS auth problems

Thank you for the update & clarification, @spuluka