Here are the config steps in IC-4500.

1. Configure Sign-in Policies and ensure you have the right realm and protocol set in here
2. Configure Location Group and select the above Sign-in-Policy
3. Configure New Radius Client (e.g. SRX)
4. Ensure the Location Group Selected as part of Radius Client provisioning is pointed to the right Sign-in-Policy
5. At Realm ensure you have the correct Authentication server along with appropriate role mapping rules.

The above should get you going. In case if you have issues kindly collect a policy trace for the failing user as well.

Thanks

Thanks Paul,

I will try as soon as. So could I must configure any thing on srx, ex ..?

please help me.

Best regards.

I was thinking that you will be following the KB that you highlighted for SRX config

I have try to configure

Signing In */

"vph user" is our realm and I choise 802.1X

"vph user" realm

with Role Mapping

Authentication server is "vph auth.server", type: Local Authenticaion Server

and I creat an user  "vphfpt"

this is "vph user role"

nothing special for this role

I creat vph group with Sign-in Policy */

and I have Radius client

IP address:

IC4500: 10.20.20.11

SRX3400: 10.20.254.33

they connect over a mangement switch and core switch

on srx3400

but I can not login srx3400 with accoun vphfpt I creat on vph auth.server

please help me

thanks.

and from srx3400, I can not telnet to IC4500 port 1812, there is no firewall between 2 devices

Can you attach the logs, User access logs as well as Radius troubleshooting logs.

In order to enable the Radius logs use Troubleshooting --> Monitoring --> Radius

Ensure you recreate the failure and collect these logs

The config looks OK for the most of it, however can you try with only a single realm (vpn user) in the Sigining in Policies

Thanks

Hi,

I can not do it,

Check it and help me please,

The logs report that User vphfpt firmly rejected by MS-CHAP-V2 auth method (refer below). Have you enabled the Password stored as clear text option in the AUTH Server configuration ? If not can youtry this option please ?

info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)Authenticating user vphfpt with authentication method MS-CHAP-V2
info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)Request::Authenticate called. Username is vphfpt
info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)Client supplies MSCHAP2 password
info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)MsChapV2Request::ForwardCredentials
info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)User vphfpt firmly rejected by MS-CHAP-V2 auth method
info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)ProcessAuthMethod Returned TRY NEXT
info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)Unable to find user vphfpt with matching password
info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)User vphfpt being passed to Auth-Final-Response control point method .
info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)-----------------------------------------------------------
info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)Authentication Response (reject)
info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)Packet : Code = 0x3 ID = 0xfa
info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)Vector =
info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)000: 8f958ad7 0635ba3d 4e0231cf 3e359b55 |.....5.=N.1.>5.U|
info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)MS-CHAP-Error : Value =
info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)000: fa453d36 39312052 3d302020 563d33 |.E=691 R=0 V=3 |
info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)-----------------------------------------------------------