Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

UAC auth for admin sessions to EX

wimclend_
Occasional Contributor
‎05-08-2010 10:20:PM
‎05-08-2010 10:20:PM

UAC auth for admin sessions to EX

hello all,

wasn't sure if I should put this question here, or in the EX section . . .

I have an EX switch that is working with the UAC to provide 802.1x authentication for both supplicant users and a MAC-based authentication for devices that don't support it.

now I would like to have the UAC also authenticate SSH sessions to the EX itself for management.

I got this working a long time ago, but the RADIUS server was IAS. Here is my current config for radius auth for admin sessions:

[edit system[

radius-server {
172.17.100.15 {
secret "$9$GYUHmf5FnCuZU/tOBEh"; ## SECRET-DATA
source-address 172.17.10.2;
}
}

login {
class radius-ro {
permissions view;
}
class radius-rw {
permissions all;
}
user radius-ro {
uid 2001;
class radius-ro;
}
user radius-rw {
uid 2002;
class radius-rw;
}
}

from what I remember, the class had to match the user-name (at least working with IAS . . .), hence my class and login names are the same.

on the UAC side, the EX is already a RADIUS client in a "Wired" Location Group, and already has a policy to assign a VLAN based on successful authentication and AD Group membership. I created a new policy to return Juniper-Local-User-Name of 'radius-rw'.

However when I try to login, the UAC log shows the following:

Radius authentication rejected for wmclendon (realm 'Mac-Auth-Realm') from location-group 'Wired' and attributes are: NAS-IP-Address = 172.17.10.2

Requested authentication protocol may not be available

EDIT: also seeing this in the Event log on the UAC:

RADIUS: Library Requires EAP and credentials are not EAP --- at a loss on this one


it appears to be trying to authenticate against the MAC Authentication Realm I configured for the Location Group, and no tthe Realm that actually has the information . . . and i'm not sure why i'm seeing the requested protocol may not be available messages...

0 Kudos
1 REPLY 1
wimclend_
Occasional Contributor
‎05-08-2010 10:46:PM
‎05-08-2010 10:46:PM

Re: UAC auth for admin sessions to EX

i guess i posted too early . . . got it working it looks like.

I had to add MS-CHAP-v2 as an allowed protocol under the Protocol Set associated with my realm.

Once I did that it started working properly

Here's a new question tho -- if I have Roles that need access to the devices for radius-based auth for management of the device, but at the same time need host checker policies enabled on the Role for endpoint compliance to be on the network . . . I think if I enforce the host checker policy, it will fail because MS-CHAP-v2 obviously can not check Host Checker. Anyone have a clever way around that?

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.