cancel
Showing results for 
Search instead for 
Did you mean: 

UAC doesn't appear to be proxying RADIUS auth requests to

htroberts_
Occasional Contributor

UAC doesn't appear to be proxying RADIUS auth requests to

I've been doing AAA with RSA and Cisco ACS for a while, but am new to Juniper and UAC.

 

We use UAC to proxy authentication requests from WiFi supplicants to an RSA authentication manager (SecurID/SDI/ACE) server.

 

In addition to the wireless access points, I also have a vanilla RADIUS client (it's a Citrix Netscaler). I've set it up in UAC as a 'standard' RADIUS client, but when we try to authenticate from it, we get an immediate reject. The UAC doesn't send anything to the RSA server.

 

I've got what I think are all the pieces in the chain configured: RADIUS client --> location group --> sign in policy --> authentication protocol set & user realm --> authentication server (RSA).

 

The UAC log says:

 

EAM24460 Requested authentication protocol may not be available

 

We don't allow all EAP types for the normal use case, so I set up a test authentication policy with all protocols enabled, but no change.

 

A tcpdump doesn't show any EAP negotiation.

 

Where else should I be looking?

3 REPLIES 3
Raveen_
Regular Contributor

Re: UAC doesn't appear to be proxying RADIUS auth requests to

What is the EAP protocol you are using?

Is the same EAP protocol been configured at both server and client end?

Are there any Realm restrictions configured?

 

Policy trace, radius troubleshooting logs and TCP-DUMP should help solve the issue.

 

Regards,

Raveen

htroberts_
Occasional Contributor

Re: UAC doesn't appear to be proxying RADIUS auth requests to


@Raveen wrote:

What is the EAP protocol you are using?

Is the same EAP protocol been configured at both server and client end?

Are there any Realm restrictions configured?

 

Policy trace, radius troubleshooting logs and TCP-DUMP should help solve the issue.



Client is using MSCHAPv2. I started on UAC with MSCHAPv2 turned on, and when that didn't work, I enabled all EAP protocols at the server (UAC) end.

 

So, again, I'm new to Juniper.

 

I don't have any realm restrictions that I know of.

 

What's a "policy trace," and what are "RADIUS troubleshooting logs" (is that something different from the event & user access logs on the UAC)?

 

Thanks,

Heath

kalagesan_
Super Contributor

Re: UAC doesn't appear to be proxying RADIUS auth requests to

Hi Heath,

 

The error     most likely caused due to the EAP protocol mismatch. As Raveen said we would need radius troubleshooting log and policy trace collected from IC admin UI

 

 The RADIUS Troubleshooting Log allows you to view the full suite of RADIUS logging features, including traffic trace and debug-level

The RADIUS Troubleshooting Log monitors all requests that the IC Series device receives from RADIUS clients

To configure the RADIUS Diagnostic log:

1.Select Troubleshooting > Monitoring > RADIUS from the left navigation bar of the admin console.
2.Select the RADIUS Diagnostic Logging On check box.
3.Enter the maximum log size (up to 1,000 MB) in the Max Diagnostic Log Size box.
4.Click Save Changes.

Policy Trace records events for a given user under a given realm. Policy trace events determine policies applied on the user under the given realm.

To configure policy trace:

Select Troubleshooting >User sessions>policy Tarce

So the above two log will give us more information about the failure

Regards,
Kannan