Knowledge Center Search
|
|
[KB11941] Show KB Properties
[KB11941] Hide KB PropertiesProblem or Goal:
Cause:
Solution:
Juniper Networks has a simple RADIUS test utility known as “RadiusTest”. This utility will act as a RADIUS client and can perform PAP and CHAP RADIUS authentications as well as generating accounting starts and stops.
This article is split into two sections:
- Section 1 : How to setup the IC to allow the RADIUSTest utility to authenticate
- Section 2 : How to use the RADIUSTest utility to generate RADIUS authentications to the IC
Section 1 : How to setup the IC to allow the RADIUSTest utility to authenticate
This document does not go into detail on configuring the IC step by step; it is assumed there is a working knowledge of the IC and its various configuration methods.
Create or modify an Authentication Protocol set. Be sure to add PAP and CHAP as the authentication protocols:
(Optional) Add a new RADIUS Location Group.
- If you do not have an existing RADIUS Location group, add one to the IC.
- Associate the RADIUS client that you will create in step 3 to a location group.
- If you have an existing location group, you can skip this step
Add a new Radius client entry on the IC device.
Determine the IP address of the PC that will run the RADIUSTest utility. Once you have this, create the RADIUS CLIENT entry on the IC. Make note of the shared secret used as you will need to supply it in the RADIUSTest utilty.
In the example above, we specified 255 addresses in the range. We did this as the test workstation is on a DHCP enabled network. Instead of re-editing the Radius client entry whenever the workstation address changes, this feature allows any IP address in the range to send traffic
Verify the sign-in policy, authentication realm, authentication server, authentication roles and role mappings are configured.
As with all configurations on the IC, configure the following to allow users to login to UAC:Note: This document will not go into detail on how to configure the above items. For assistance on these topics, please refer to the UAC Administrators Guide
- Sign-in Policy
- Authentication Server
- Authentication Realm
- User roles
- Role mapping rules to assign roles
Section 2 : How to use the RADIUSTest utility to generate RADIUS authentications to the IC
The following section will discuss the use of the Juniper RADIUSTest utility. Once you have downloaded the utility from the Juniper Web Site, unzip the contents into a separate folder on your local workstation
Download the utility by clicking: RadiusTest.zip
- The utility will run on Windows 2000, XP and 2003 Server.
- If you are using a firewall on your local PC, you need to ensure that you allow UDP1645, 1646, 1812 and 1813 through the firewall.
Verify that all files are present. The following list of files should be available once extracted. The main file we will be editing is the radtest.ini. This is the configuration file used when the radtest.exe is executed.
Open the radtest.ini file in your preferred editor
Scroll down the file until you locate the [Config] section. This is the section that defines which ports will be used by the RADIUSTest utility when it communicates with the IC. Below are the default values
[Config]
Acct-Session-Length = 5000
Radius-Acct-Port = 1646
Radius-Auth-Port = 1645
Raw = off
Request-Retries = 4
Time-Between-Retries = 1000NOTE : The default RADIUS ports are UDP 1645 for authentication and UDP 1646 for accounting. These values can be changed to UDP 1812 and UDP 1813 for authentication and accounting respectively. The IC will accept either set of ports.
Scroll down the file to the [Auth-Attribs] section. Below are the default values
[Auth-Attribs]
User-Name=<gui-username>
User-Password=<gui-password>
CHAP-Password=<gui-password>
NAS-IP-Address=1.2.3.4
NAS-Port=<nas-port-value>
NAS-Port-Type=2
Annex-Transmit-Speed=64000
Annex-Receive-Speed=64000
Annex-Domain-Name="TEST1"
Annex-SW-Version=100- Edit the NAS-IP-Address value to reflect the IP address of your workstation. There is no need to edit the other values unless otherwise directed by Juniper Support Staff.
- Save the file and move to the next step.
Launch the radtest.exe application. You should see the following screen.
Enter your user credentials in the Name and Password fields. This user will obviously need to have a valid login to the IC in order for the test to succeed.
If you check the “Mask Password” checkbox, this will cause the test utility to display asterisks (*) instead of the actual password
Select your authentication type, either PAP or CHAP. This will determine which authentication protocol is used when creating the RADIUS request
Enter the Name and Shared Secret for the IC that was created in Step 3 of Section 1.
- The Name section should either be the IP address or DNS name of the IC
- You can select the “Mask Shared Secret” checkbox to hide the shared secret
Click the Execute button to start the test.
Refer to the Authentication section in the top right of the RADIUSTest utility screen for the result of the test.
Possible results you can see in the RADIUSTest utility
- Success – The test succeeded
- Reject – The authentication was rejected by the IC. You will need to refer to the IC’s User Access Log for failure reasons
- Timed Out - This result indicates that the RADIUSTest utility did not receive an answer from the IC. Typical causes of this result include:
- Network communication issue between the host PC and the IC
- The IC does not recognize the host PC’s IP address as a registered RADIUS client.
Optionally, enable the Accounting test in the RADIUSTest utility.
The IC will use the Accounting Start and Accounting Stop packets to record when a non-Odyssey Access Client has signed and signed out from the IC. The “Delay” values are designed for just that, delaying the sending of the start or stop. The Delay in the Accounting stop is basically used to simulate the length of the user’s session on the IC.
ASK THE KB
Question or KB ID:
