Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Creating SBR Filters for versions 6.0 and 6.1.

0

0

Article ID: KB13221 KB Last Updated: 08 Mar 2017Version: 3.0
Summary:
If using TTLS or PEAP authentication with checklist or return list attributes and authentication fails a filter could be required.  TTLS and PEAP are tunneled authentication methods. When using either of these two methods a tunnel is created to the network access server. Checklist list attributes are outside of the tunnel by default, whereas return list attributes are inside the tunnel by default. The SBR can be used to send the checklist list attributes through the tunnel. Note, return list attributes will need to be moved to outside the tunnel.

Symptoms:

TTLS or PEAP Authentication fails

Solution:
Create a filter to allow Checklist attributes to go through the tunnel or a filter to send Return list attributes outside the tunnel.

To set up a filter, first go to the filter area in the admin GUI.  Select Filters.

 Click Add to create a new filter.

This will open the Add Filter dialog to allow creation of a filter.  Enter a Filter name, and then click Add to create the rule.

For this example, the filter was named peap_transfer.


 In the Add Rule dialog box, select the Allow radio button then set the name to NAS-IP-Address. Click OK.

 Go to Authentication Policies > EAP Methods > EAP-PEAP.  Click Edit.



When the Edit PEAP Authentication Method dialog box is displayed, on the Request Filters tab, check the top two boxes and add the new filter created to both options.  Your new filter should appear in the pull-down list.

At this point the NAS-IP-Address will be sent through, allowing users to log in. If using different attributes, add any attributes you are using to go through the tunnel for check list attributes or outside of the tunnel for Return List attributes. For Return List attributes, click on the Response Filters tab rather than the Request Filter tab.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search