Showing results for 
Search instead for 
Did you mean: 

UAC auth for admin sessions to EX

Occasional Contributor

UAC auth for admin sessions to EX

hello all,

wasn't sure if I should put this question here, or in the EX section . . .

I have an EX switch that is working with the UAC to provide 802.1x authentication for both supplicant users and a MAC-based authentication for devices that don't support it.

now I would like to have the UAC also authenticate SSH sessions to the EX itself for management.

I got this working a long time ago, but the RADIUS server was IAS. Here is my current config for radius auth for admin sessions:

[edit system[

radius-server { {
secret "$9$GYUHmf5FnCuZU/tOBEh"; ## SECRET-DATA

login {
class radius-ro {
permissions view;
class radius-rw {
permissions all;
user radius-ro {
uid 2001;
class radius-ro;
user radius-rw {
uid 2002;
class radius-rw;

from what I remember, the class had to match the user-name (at least working with IAS . . .), hence my class and login names are the same.

on the UAC side, the EX is already a RADIUS client in a "Wired" Location Group, and already has a policy to assign a VLAN based on successful authentication and AD Group membership. I created a new policy to return Juniper-Local-User-Name of 'radius-rw'.

However when I try to login, the UAC log shows the following:

Radius authentication rejected for wmclendon (realm 'Mac-Auth-Realm') from location-group 'Wired' and attributes are: NAS-IP-Address =

Requested authentication protocol may not be available

EDIT: also seeing this in the Event log on the UAC:

RADIUS: Library Requires EAP and credentials are not EAP --- at a loss on this one

it appears to be trying to authenticate against the MAC Authentication Realm I configured for the Location Group, and no tthe Realm that actually has the information . . . and i'm not sure why i'm seeing the requested protocol may not be available messages...

Occasional Contributor

Re: UAC auth for admin sessions to EX

i guess i posted too early . . . got it working it looks like.

I had to add MS-CHAP-v2 as an allowed protocol under the Protocol Set associated with my realm.

Once I did that it started working properly

Here's a new question tho -- if I have Roles that need access to the devices for radius-based auth for management of the device, but at the same time need host checker policies enabled on the Role for endpoint compliance to be on the network . . . I think if I enforce the host checker policy, it will fail because MS-CHAP-v2 obviously can not check Host Checker. Anyone have a clever way around that?