We recently upgraded to pps 5.4R7(it's a mag6610, so it's the latest we can go) last Friday. At the begining there were no problems, but lately we see more users failing to authenticate althouth in the logs the user is accepted and all the correct attributes are returned. It maybe a coincidence that this happened after the upgrade and I need to exclude the possibility in order to look elsewhere. The only issue logged in radius is the message
"Session Termination Attempt in response to Radius Disconnect Request for Auth Server 'INVALID' did not succeed, leading to a Disconnect-NAK. Reason: Invalid request."
There is no information I could find for this. Can anyone please give me any information regarding this message?
Adding to the previous comment: you can use the TCP DUMP feature in PPS to see what data is hitting the wire between PPS and the switch. We'd need to know if the switch is sending back an error or if PPS is the source of the error. After auth, you will see the RADIUS Access-Accept and then a COA message going out to the switch. If the switch NAKs the message, we'd need to know what the reported error in the TCP DUMP shows.
Additionally, you can turn on the RADIUS diagnostics in PPS and collect our logs to see if they give more information as to the reason of the failure.
The switches are juniper ex 4200 VCs. I haven't noticed the TCP DUMP funtion. I will use to trace the packets and hopefully find something more helpfull.
Thank you for your help.
tcp dump on the ex switches only has access to control plane traffic destined to local routing engine.
You would need to use a port mirror for the capture.