Knowledge Center Search


 

[MAG/UAC] How to use the Radius Test Rig Utility to test RADIUS on an IC

  [KB11941] Show KB Properties

  [KB11941] Hide KB Properties

Categories:
Knowledge Base ID: KB11941
Last Updated: 26 Dec 2012
Version: 5.0

Summary:
To verify that RADIUS for non-802.1X based clients is working with the IC running UAC 2.1 or 2.2 and its configured authentication servers, use the RADIUSTest utility.

Problem or Goal:
Having difficulties getting a non-802.1X client to authenticate against an Infranet Controller running UAC 2.1 or UAC 2.2

Cause:

Solution:

Juniper Networks has a simple RADIUS test utility known as “RadiusTest”. This utility will act as a RADIUS client and can perform PAP and CHAP RADIUS authentications as well as generating accounting starts and stops.


This article is split into two sections:

  • Section 1 : How to setup the IC to allow the RADIUSTest utility to authenticate

  • Section 2 : How to use the RADIUSTest utility to generate RADIUS authentications to the IC

Section 1 : How to setup the IC to allow the RADIUSTest utility to authenticate

This document does not go into detail on configuring the IC step by step; it is assumed there is a working knowledge of the IC and its various configuration methods.

step1 Create or modify an Authentication Protocol set. Be sure to add PAP and CHAP as the authentication protocols:

step2 (Optional) Add a new RADIUS Location Group.

  • If you do not have an existing RADIUS Location group, add one to the IC.
  • Associate the RADIUS client that you will create in step 3 to a location group.
  • If you have an existing location group, you can skip this step

step3 Add a new Radius client entry on the IC device.

Determine the IP address of the PC that will run the RADIUSTest utility. Once you have this, create the RADIUS CLIENT entry on the IC.  Make note of the shared secret used as you will need to supply it in the RADIUSTest utilty.


note: In the example above, we specified 255 addresses in the range. We did this as the test workstation is on a DHCP enabled network. Instead of re-editing the Radius client entry whenever the workstation address changes, this feature allows any IP address in the range to send traffic

step4 Verify the sign-in policy, authentication realm, authentication server, authentication roles and role mappings are configured.

As with all configurations on the IC,  configure the following to allow users to login to UAC:
  1. Sign-in Policy
  2. Authentication Server
  3. Authentication Realm
  4. User roles
  5. Role mapping rules to assign roles
Note: This document will not go into detail on how to configure the above items. For assistance on these topics, please refer to the UAC Administrators Guide

Section 2 : How to use the RADIUSTest utility to generate RADIUS authentications to the IC

The following section will discuss the use of the Juniper RADIUSTest utility. Once you have downloaded the utility from the Juniper Web Site, unzip the contents into a separate folder on your local workstation


step1 Download the utility by clicking: RadiusTest.zip

  • The utility will run on Windows 2000, XP and 2003 Server.
  • If you are using a firewall on your local PC, you need to ensure that you allow UDP1645, 1646, 1812 and 1813 through the firewall.

step2  Verify that all files are present.  The following list of files should be available once extracted. The main file we will be editing is the radtest.ini. This is the configuration file used when the radtest.exe is executed.

RADTEST Folder


step3 Open the radtest.ini file in your preferred editor

Scroll down the file until you locate the [Config] section. This is the section that defines which ports will be used by the RADIUSTest utility when it communicates with the IC. Below are the default values

[Config]
Acct-Session-Length = 5000
Radius-Acct-Port = 1646
Radius-Auth-Port = 1645
Raw = off
Request-Retries = 4
Time-Between-Retries = 1000

NOTE : The default RADIUS ports are UDP 1645 for authentication and UDP 1646 for accounting. These values can be changed to UDP 1812 and UDP 1813 for authentication and accounting respectively. The IC will accept either set of ports.


step4 Scroll down the file to the [Auth-Attribs] section. Below are the default values

[Auth-Attribs]
User-Name=<gui-username>
User-Password=<gui-password>
CHAP-Password=<gui-password>
NAS-IP-Address=1.2.3.4
NAS-Port=<nas-port-value>
NAS-Port-Type=2
Annex-Transmit-Speed=64000
Annex-Receive-Speed=64000
Annex-Domain-Name="TEST1"
Annex-SW-Version=100
  • Edit the NAS-IP-Address value to reflect the IP address of your workstation.  There is no need to edit the other values unless otherwise directed by Juniper Support Staff.
  • Save the file and move to the next step.


step5 Launch the radtest.exe application. You should see the following screen.

Radius Test Screen


step6 Enter your user credentials in the Name and Password fields.   This user will obviously need to have a valid login to the IC in order for the test to succeed.

If you check the “Mask Password” checkbox, this will cause the test utility to display asterisks (*) instead of the actual password

RADTEST Name and PW


step7 Select your authentication type, either PAP or CHAP. This will determine which authentication protocol is used when creating the RADIUS request


step8 Enter the Name and Shared Secret for the IC that was created in Step 3 of Section 1.

  • The Name section should either be the IP address or DNS name of the IC
  • You can select the “Mask Shared Secret” checkbox to hide the shared secret

RADTEST Server Info

step9 Click the Execute button to start the test.


step10 Refer to the Authentication section in the top right of the RADIUSTest utility screen for the result of the test.

RADIUSTest Execute.JPG

note: Possible results you can see in the RADIUSTest utility

  • Success – The test succeeded
  • Reject – The authentication was rejected by the IC. You will need to refer to the IC’s User Access Log for failure reasons
  • Timed Out - This result indicates that the RADIUSTest utility did not receive an answer from the IC. Typical causes of this result include:
    • Network communication issue between the host PC and the IC
    • The IC does not recognize the host PC’s IP address as a registered RADIUS client.

step11 Optionally, enable the Accounting test in the RADIUSTest utility.

The IC will use the Accounting Start and Accounting Stop packets to record when a non-Odyssey Access Client has signed and signed out from the IC. The “Delay” values are designed for just that, delaying the sending of the start or stop. The Delay in the Accounting stop is basically used to simulate the length of the user’s session on the IC.

Purpose:
Troubleshooting

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.