Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Pulse client reports 'Incorrect Credentials' error (using RADIUS Authentication)

0

0

Article ID: KB17335 KB Last Updated: 21 Feb 2020Version: 7.0
Summary:

When trying to connect the Pulse client to the SRX, the process fails with the following messages:

Status of connection results: "Failed"
Details: "Incorrect Credentials"

This article is a part of the Dynamic VPN Resolution Guide:  KB17220 - Resolution Guide - SRX - Troubleshoot Pulse VPN connections to SRX.

 

Symptoms:

Pulse Client attempts to login to the SRX, but the Pulse client does not connect. The Connection Status in Pulse window reports the Connection Status:  "Failed" / Details: "Incorrect Credentials":

Solution:

NOTE: If you are using local authentication (where the SRX is authenticating users directly), instead refer to KB22893- Pulse client reports 'Incorrect Credentials' error (using Local Authentication).

This error message occurs in the following situations:

  • The username or password has been entered incorrectly.
  • The shared secret for the RADIUS server is configured incorrectly in the SRX.
  • The SRX cannot reach the RADIUS server.
  • The user does not exist in the RADIUS server.
  • Subscriber management process disabled.

Perform the following steps to correct the error:

 

  1. If you have not already tried, re-enter the username and password. The username may be case sensitive, depending on the RADIUS server.
  2. Are the system processes, subscriber-management and subscriber-management-helper, disabled?

    user@srx# show system processes
    subscriber-management disable;    
    subscriber-management-helper disable;

    • Yes - Re-enable the processes.

      user@srx# delete system processes subscriber-management
      user@srx# delete system processes subscriber-management-helper
      user@srx# commit

      • Delete the configuration as below and commit:
    • No - Continue with Step 3.
  3. Examine the access configuration on the SRX using the command show access or show access profile <profile>.  An example access profile is:
    root@srx# show access
    profile radius-auth {
         authentication-order radius;
         radius-server {
             172.30.73.206 secret "$ABC123"; ## SECRET-DATA
         }
    }

     
    When users authenticate from Pulse, the system will check what profile should be used based on what is listed under security -> dynamic-vpn -> access-profile Make sure the access-profile listed here is the profile you intended to use.

    root@srx# show security dynamic-vpn
    access-profile radius-auth;     <---------
    clients {
        users {
           remote-protected-resources {
              192.198.3.0/24;
           }
           remote-exceptions {
              0.0.0.0/0;
           }
           ipsec-vpn dynvpn;
           user {
              user1;
           }
       }
    }
  4. If the access profile is correct, check the authentication order. Since more than one authentication method can be specified, make sure that your authentication-order is correct. If no authentication-order statement is included, the default behavior is to use local and then RADIUS (if a RADIUS server is defined). The authentication order can be checked using the show access output or specifically using the command show access profile <profile-name> authentication-order.  Below is an example of a profile with the authentication order set to only use RADIUS authentication:  
    root@srx# show access profile user-auth-profile authentication-order radius;
  5. Check the RADIUS server reachability from the SRX.  Also make sure that the ports that the RADIUS server uses are allowed through any firewalls which might be between the RADIUS server and the SRX. 
  6. Review the debug logs on the RADIUS server. The common items to check are:
    •  Do you see the request coming from the SRX for the user in question?
    •  Is the SRX allowed as a Radius-Client?
    •  Are the user credentials reported as 'accepted' in the RADIUS logs?
          If you cannot determine the problem from the RADIUS logs, then continue with Step 7.
  7. Set the following authentication debug commands on the SRX to capture all authentication debugs to the file named auth-debug:

    Note: SRX will capture all authentication debugs to a log file named 'authd' by default, if the filename option is not specified in the configuration.

    user@srx# set system processes general-authentication-service traceoptions file auth-debug
    user@srx# set system processes general-authentication-service traceoptions flag all
    user@srx# run clear log auth-debug
    user@srx# commit


    [Have user attempt to connect and login again]

    user@srx> show log auth-debug

    Note: Make sure to deactivate traceoptions to prevent trace files from taking up storage space with the command:
    user@srx# deactivate system processes general-authentication-service traceoptions
  8. Review the output of the auth-debug file.  Look for the username that is unable to connect.  Below are samples of the debug output that you can compare yours to.

    Debug output of successful authentication with RADIUS user:
    May  8 04:42:29 Auth-FSM: Process Auth-Request for session-id:9274600534156033537
    May  8 04:42:29 Framework: Starting authentication
    May  8 04:42:29 authd_advance_module_for_aaa_request_msg: result:0
    May  8 04:42:29 Authd module start
    May  8 04:42:29 authd_radius_start_auth: Starting RADIUS authentication
    May  8 04:42:29 authd_radius_build_basic_auth_request: got params  profile=XAUTH-USER, username=user1
    May  8 04:42:29 AUTHEN - module(radius) return: ASYNC
    May  8 04:42:29 RADIUS server 172.18.66.10:1812 was used for last request
    May  8 04:42:29 Radius result is CLIENT_REQ_STATUS_SUCCESS
    May  8 04:42:29 Vendor-Id: 0 Attribute Type:Class(25) Value:string-type  Length:100
    May  8 04:42:29 authd_radius_parse_message:generic-type:25
    May  8 04:42:29 authd_radius_parse_message:generic-type:8
    May  8 04:42:29 Framework - module(radius) return: SUCCESS
    May  8 04:42:29 authd_advance_module_for_aaa_response_msg: result:2


    Debug output when the user does not exist on the RADIUS server:

    May  8 04:33:34 ###################################################################
    May  8 04:33:34 Auth-FSM: Process Auth-Request for session-id:9274600525566262640
    May  8 04:33:34 Framework: Starting authentication
    May  8 04:33:34 authd_advance_module_for_aaa_request_msg: result:0
    May  8 04:33:34 Authd module start
    May  8 04:33:34 authd_radius_start_auth: Starting RADIUS authentication
    May  8 04:33:34 authd_radius_build_basic_auth_request: got params  profile=XAUTH-USER, username=user1
    May  8 04:33:34 AUTHEN - module(radius) return: ASYNC
    May  8 04:33:34 RADIUS server 172.18.66.10:1812 was used for last request
    May  8 04:33:34 Radius result is CLIENT_REQ_STATUS_SUCCESS
    May  8 04:33:34 Vendor-Id: 0 Attribute Type:Reply-Message(18) Value:string-type  Length:38
    May  8 04:33:34 authd_radius_parse_message:generic-type:18
    May  8 04:33:34 Vendor-Id: 0 Attribute Type:Reply-Message(18) Value:string-type  Length:36
    May  8 04:33:34 authd_radius_parse_message:generic-type:18
    May  8 04:33:34 Vendor-Id: 0 Attribute Type:Reply-Message(18) Value:string-type  Length:15
    May  8 04:33:34 authd_radius_parse_message:generic-type:18
    May  8 04:33:34 Framework - module(radius) return: FAILURE
    May  8 04:33:34 authd_advance_module_for_aaa_response_msg: result:3

    Debug output when the client types the incorrect password (bad password):
    May  8 04:45:51 ###################################################################
    May  8 04:45:51 Auth-FSM: Process Auth-Request for session-id:9274600538450786892
    May  8 04:45:51 Framework: Starting authentication
    May  8 04:45:51 authd_advance_module_for_aaa_request_msg: result:0
    May  8 04:45:51 Authd module start
    May  8 04:45:51 authd_radius_start_auth: Starting RADIUS authentication
    May  8 04:45:51 authd_radius_build_basic_auth_request: got params  profile=XAUTH-USER, username=user1
    May  8 04:45:51 AUTHEN - module(radius) return: ASYNC
    May  8 04:45:51 RADIUS server 172.18.66.10:1812 was used for last request
    May  8 04:45:51 Radius result is CLIENT_REQ_STATUS_SUCCESS
    May  8 04:45:51 Vendor-Id: 0 Attribute Type:Reply-Message(18) Value:string-type  Length:38
    May  8 04:45:51 authd_radius_parse_message:generic-type:18
    May  8 04:45:51 Vendor-Id: 0 Attribute Type:Reply-Message(18) Value:string-type  Length:36
    May  8 04:45:51 authd_radius_parse_message:generic-type:18
    May  8 04:45:51 Vendor-Id: 0 Attribute Type:Reply-Message(18) Value:string-type  Length:15
    May  8 04:45:51 authd_radius_parse_message:generic-type:18
    May  8 04:45:51 Framework - module(radius) return: FAILURE
    May  8 04:45:51 authd_advance_module_for_aaa_response_msg: result:3
  9. If the issue is still not resolved after completing the above procedure, collect the information listed in KB21781- [SRX] Data Collection Checklist - Logs/data to collect for troubleshooting, along with the debugs captured above and open a technical support case with your technical support representative or with the RADIUS server vendor as required.
Modification History:
2020-02-21: minor non-technical edits.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search