Hi,   Can you please post the query you are running and the error you are getting back ? ... View more

I just pulled it out from the documentation, and should help to understand the relam selection in IC. I think whenever you are having the issue, the client may be requesting Authentication protocol which is not part of the available realms.       ... View more

Yes, you can use the SBR-C software for auth for login to several router.   In fact I was under the impression that you wanted to convert the SBR-C software to SBR-E edition, which is not possible.   ... View more

You cannot convert SBR-C instance to a SBR-E instance. They are not compatible. Especially with SBR-C 7.X and above, the Carrier code and Enterprise code have siginificant diffrences and any kind of migration is not supported.   Why do you want to convert from Carrier to Enterprise edition. I can't think of any feature that you could use in Enterprise which is not available in Carrier.   Thanks ... View more

Are you planning to migrate SBR-Carrier to SBR-Enterprise ? or is that you want the same instance of SBR-Carrier to work as SBR-Enterprise now.   Which Version of SBR are you running now ? Which Platform ? ... View more

Here is a same post for your reference.   http://forums.juniper.net/t5/Identity-and-Policy-Control/Radius-authentication-accepted-for-realm-Unavailable/td-p/126679   ... View more

You should be able to do that. However it have dependency on the authetication Protocols negotiated between Client and IC. The decision of what realms are available to the user within a sign-in policy is based on two factors. First, the order of realms in the list is considered. Realms at the top of the list are attempted. Second, the authentication protocol set that you choose must be compatible with the client or supplicant. To determine a compatible realm, the system looks for a RADIUS subprotocol that is compatible with the client or supplicantÍs available protocols, and the system automatically selects compatible realms. If the endpoint is using a UAC agent, the system presents a list of realms. Any realm with both outer and inner protocols that match the outer and inner protocols on the client is considered compatible.   We have a detailed docuemntaion around this topic and you can access it from http://www.juniper.net/techpubs/en_US/uac5.0/topics/concept/uac-sign-in-auth-protocols-about.html     ... View more

Hi,   I researched around your questions internally, and it seems RSA Secure ID is only supported with PAP and EAP-GTC token card. This is docuemnted in Admin guide Table 65: Authentication Protocols.   Hence can you try EAP-TTLS as outer and PAP as inner ?   Thanks Ashish Paul ... View more

Automatically at user login option enables Pulse client interaction with the credential provider software on the endpoint. The user credentials are used to establish the authenticated Pulse connection to the network, login to the endpoint, and login to the domain server ... View more

Are the users saving the credenatial during the initial login ? If not can you try that see if that is helping here. Other than this I am not sure what exactly you have in mind when you said running pulse in the back. Can you ellobrate ?   When does the user authentication pop-up happens ? Can you check whether the pop-up is due to timeouts either from the L2 switch or on IC role session option etc ?   Also here is the Pulse documentation around installation that could help here as well.   http://www.juniper.net/techpubs/en_US/uac5.0/information-products/pathway-pages/unified-access-control/junos-pulse-acs-junos-pulse-client.html#overview ... View more

Listing below few other quick things to check Under Role  -->  Session Option  --> Disbale Roaming Session If you are using dot1.x Enable Accounting on the switches.   Thanks Ashish Paul ... View more

Would it be possible for you to share Detailed Level Logs from Pulse client along with Timestamp details to co-relate the failure ? ... View more

CAn you also post the detailed Pulse logs, to do this ensure you open Pulse @ client, goto File --> Logs --> Log Level --> Details and Save the logs once the issue is replicated. Please provide the timestamp of the connection attempt to co-relate the logs. Also you can add a tcp-dump from the IC which could help here as well. ... View more

I think the following documentation with detailed configuration should help here. http://www.juniper.net/techpubs/en_US/junos13.3/topics/example/uac-ex-series-centralized-resource-control.html   Thanks     ... View more

You have posted your query under the wrong Forum, You will need to post it under the appropriate forum. You can try posting this under the routing group.  ... View more

Have you enabled SBR troubleshooting logs under Troubleshooting --> Monitoring --> Diagnostic Logs. If yes, kindly clear the logs and if not needed disable the diagnostic logging as well.   That should take care of this. ... View more

I am not sure I fully understand your question ? You may need to elaborate more ? Does this mean that the Admin credentials are validated against an AD server ? It will be based on the Authentication server you have configured as part of your Administrator realm.   Thanks ... View more

Hi Yiux,   This Forum category may not have the expertise on the TCA devices. I can't find a category in the forum which deals with timing synchronization either. I recommend you reach out to the admin @ http://forums.juniper.net/t5/Community-Feedback-and-Direction/bd-p/Feedback_and_Direction to find the right forum for TCA servers.   Thanks ... View more

Assuming your machine authentication and User authentication maps to two different role, you could try adding the Host Check restriction as part User Authentication Role and see whether that resolves the issue for you.   Thanks ... View more

Are you  doing Machine authentication or User authentication ? In IC for Pulse Config What is configured for option Connection is established: ?   Thanks ... View more

Can you upload a Radius Diagnostic logs corresponding to  EAP-TTLS with JUAC.   Thanks  ... View more

I would first check on the licenses that are currently installed on the MAG device. What type of Licenses are currently installed ? ... View more

In the admin console, Under Authentication > Endpoint Security > Host Checker > Policies section of the page. For Predefined: Antivirus have you configured remediation actions. ... View more

The pulse logs does not seem to be @ detailed Level ? Can you ensure Pulse --> File --> Logs --> Log level detailed is checked and then collect the logs after replicating the failure.   Thanks ... View more

Reviewing the IC logs, the authentication sequence is never getting completed. I could see that IC is sending a Radius Challenge to the D-Link/Client but no response is received thereafter. This is causing the issue. A quick check on multiple instances of authentication in the logs, it seems all the authentication sequences are stuck at the same stage of Radius Challenge.   The issue needs more investigation from the switch side and client side to see why the authentication is not getting completed. Can you upload a detailed Pulse log as well, I wanted to try and look for anything obvious in the Pulse log for this stuckness.   Thanks ... View more

What Radius Return Attribute policy are you using ? Have you configured Open port or VLAN or Return attributes ? Would it be possible for you to share the Radius logs from Troubleshooting --> Monitoring --> Radius   Thanks ... View more

What's the Password encryption you are using ? CAn you post the o/p of /etc/shadow   Thanks ... View more

The logs report that User vphfpt firmly rejected by MS-CHAP-V2 auth method (refer below). Have you enabled the Password stored as clear text option in the AUTH Server configuration ? If not can youtry this option please ?   info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)Authenticating user vphfpt with authentication method MS-CHAP-V2 info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)Request::Authenticate called. Username is vphfpt info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)Client supplies MSCHAP2 password info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)MsChapV2Request::ForwardCredentials info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)User vphfpt firmly rejected by MS-CHAP-V2 auth method info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)ProcessAuthMethod Returned TRY NEXT info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)Unable to find user vphfpt with matching password info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)User vphfpt being passed to Auth-Final-Response control point method . info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)----------------------------------------------------------- info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)Authentication Response (reject) info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)Packet : Code = 0x3 ID = 0xfa info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)Vector = info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)000: 8f958ad7 0635ba3d 4e0231cf 3e359b55 |.....5.=N.1.>5.U| info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)MS-CHAP-Error : Value = info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)000: fa453d36 39312052 3d302020 563d33 |.E=691 R=0 V=3 | info - [127.0.0.1] - System()[] - 2013/10/04 02:18:45 - (b0da4250)-----------------------------------------------------------   ... View more

Would it be possible for you to enable radius diagnostic logging and provide the logs after capturing the failure event. Troubleshooting -->  Monitoring  --> RADIUS ... View more

Can you attach the logs, User access logs as well as Radius troubleshooting logs. In order to enable the Radius logs use Troubleshooting --> Monitoring --> Radius Ensure you recreate the failure and collect these logs   The config looks OK for the most of it, however can you try with only a single realm (vpn user) in the Sigining in Policies   Thanks ... View more