Knowledge Search


×
 

[SRX] Pulse client reports 'Incorrect Credentials' error (using RADIUS Authentication)

  [KB17335] Show Article Properties


Summary:

When trying to connect the Pulse client to the SRX, the process fails with the following messages:

Status of connection results: "Failed"
Details: "Incorrect Credentials"

This article is a part of the Dynamic VPN Resolution Guide:  KB17220 - Resolution Guide - SRX - Troubleshoot Pulse VPN connections to SRX.

Symptoms:

Pulse Client attempts to login to the SRX:


But the Pulse client does not connect. The Connection Status in Pulse window reports the Connection Status:  "Failed" / Details: "Incorrect Credentials":


Cause:

Solution:

NOTE: If you are using local authentication (where the SRX is authenticating users directly), instead refer to KB22893- Pulse client reports 'Incorrect Credentials' error (using Local Authentication).

This error message occurs in the following situations:

  • The username or password has been entered incorrectly.
  • The shared secret for the RADIUS server is configured incorrectly in the SRX.
  • The SRX cannot reach the RADIUS server.
  • The user does not exist in the RADIUS server.
  • Subscriber management process disabled.

Perform the following steps to correct the error:

Step 1. If you have not already tried, re-enter the username and password. The username may be case sensitive, depending on the RADIUS server.


Step 2. Are the system processes, subscriber-management and subscriber-management-helper, disabled?

user@srx# show system processes
subscriber-management disable;    
subscriber-management-helper disable;

  • Yes - Re-enable the processes.
    • Delete the configuration as below and commit:
    • user@srx# delete system processes subscriber-management
      user@srx# delete system processes subscriber-management-helper
      user@srx# commit

  • No - Continue with Step 3.

Step 3. Examine the access configuration on the SRX using the command show access or show access profile <profile>.  An example access profile is:

root@srx# show access
profile radius-auth {
     authentication-order radius;
     radius-server {
         172.30.73.206 secret "$9 $bns4JGHU"; ## SECRET-DATA
     }
}

When users authenticate from Pulse, the system will check what profile should be used based on what is listed under security -> dynamic-vpn -> access-profile Make sure the access-profile listed here is the profile you intended to use.

root@srx# show security dynamic-vpn
access-profile radius-auth;     <---------
clients {
    users {
       remote-protected-resources {
          192.198.3.0/24;
       }
       remote-exceptions {
          0.0.0.0/0;
       }
       ipsec-vpn dynvpn;
       user {
          user1;
       }
   }
}


Step 4.  If the access profile is correct, check the authentication order. Since more than one authentication method can be specified, make sure that your authentication-order is correct. If no authentication-order statement is included, the default behavior is to use local and then RADIUS (if a RADIUS server is defined). The authentication order can be checked using the show access output or specifically using the command show access profile <profile-name> authentication-order.  Below is an example of a profile with the authentication order set to only use RADIUS authentication:  
root@srx# show access profile user-auth-profile authentication-order radius;

Step 5. Check the RADIUS server reachability from the SRX.  Also make sure that the ports that the RADIUS server uses are allowed through any firewalls which might be between the RADIUS server and the SRX. 


Step 6.  Review the debug logs on the RADIUS server. The common items to check are:
  •  Do you see the request coming from the SRX for the user in question?
  •  Is the SRX allowed as a Radius-Client?
  •  Are the user credentials reported as 'accepted' in the RADIUS logs?
      If you cannot determine the problem from the RADIUS logs, then continue with Step 7.


Step 7.   Set the following authentication debug commands on the SRX to capture all authentication debugs to the file named auth-debug:

Note: SRX will capture all authentication debugs to a log file named 'authd' by default, if the filename option is not specified in the configuration.

user@srx# set system processes general-authentication-service traceoptions file auth-debug
user@srx# set system processes general-authentication-service traceoptions flag all
user@srx# run clear log auth-debug
user@srx# commit

[Have user attempt to connect and login again]

user@srx> show log auth-debug

Note: Make sure to deactivate traceoptions to prevent trace files from taking up storage space with the command:
user@srx# deactivate system processes general-authentication-service traceoptions


Step 8.  Review the output of the auth-debug file.  Look for the username that is unable to connect.  Below are samples of the debug output that you can compare yours to.

Debug output of successful authentication with RADIUS user
:
May  8 04:42:29 Auth-FSM: Process Auth-Request for session-id:9274600534156033537
May  8 04:42:29 Framework: Starting authentication
May  8 04:42:29 authd_advance_module_for_aaa_request_msg: result:0
May  8 04:42:29 Authd module start
May  8 04:42:29 authd_radius_start_auth: Starting RADIUS authentication
May  8 04:42:29 authd_radius_build_basic_auth_request: got params  profile=XAUTH-USER, username=jack
May  8 04:42:29 AUTHEN - module(radius) return: ASYNC
May  8 04:42:29 RADIUS server 172.18.66.10:1812 was used for last request
May  8 04:42:29 Radius result is CLIENT_REQ_STATUS_SUCCESS
May  8 04:42:29 Vendor-Id: 0 Attribute Type:Class(25) Value:string-type  Length:100
May  8 04:42:29 authd_radius_parse_message:generic-type:25
May  8 04:42:29 authd_radius_parse_message:generic-type:8
May  8 04:42:29 Framework - module(radius) return: SUCCESS
May  8 04:42:29 authd_advance_module_for_aaa_response_msg: result:2


Debug output when the user does not exist on the RADIUS server
:

May  8 04:33:34 ###################################################################
May  8 04:33:34 Auth-FSM: Process Auth-Request for session-id:9274600525566262640
May  8 04:33:34 Framework: Starting authentication
May  8 04:33:34 authd_advance_module_for_aaa_request_msg: result:0
May  8 04:33:34 Authd module start
May  8 04:33:34 authd_radius_start_auth: Starting RADIUS authentication
May  8 04:33:34 authd_radius_build_basic_auth_request: got params  profile=XAUTH-USER, username=jack
May  8 04:33:34 AUTHEN - module(radius) return: ASYNC
May  8 04:33:34 RADIUS server 172.18.66.10:1812 was used for last request
May  8 04:33:34 Radius result is CLIENT_REQ_STATUS_SUCCESS
May  8 04:33:34 Vendor-Id: 0 Attribute Type:Reply-Message(18) Value:string-type  Length:38
May  8 04:33:34 authd_radius_parse_message:generic-type:18
May  8 04:33:34 Vendor-Id: 0 Attribute Type:Reply-Message(18) Value:string-type  Length:36
May  8 04:33:34 authd_radius_parse_message:generic-type:18
May  8 04:33:34 Vendor-Id: 0 Attribute Type:Reply-Message(18) Value:string-type  Length:15
May  8 04:33:34 authd_radius_parse_message:generic-type:18
May  8 04:33:34 Framework - module(radius) return: FAILURE
May  8 04:33:34 authd_advance_module_for_aaa_response_msg: result:3

Debug output when the client types the incorrect password (bad password):
May  8 04:45:51 ###################################################################
May  8 04:45:51 Auth-FSM: Process Auth-Request for session-id:9274600538450786892
May  8 04:45:51 Framework: Starting authentication
May  8 04:45:51 authd_advance_module_for_aaa_request_msg: result:0
May  8 04:45:51 Authd module start
May  8 04:45:51 authd_radius_start_auth: Starting RADIUS authentication
May  8 04:45:51 authd_radius_build_basic_auth_request: got params  profile=XAUTH-USER, username=jack
May  8 04:45:51 AUTHEN - module(radius) return: ASYNC
May  8 04:45:51 RADIUS server 172.18.66.10:1812 was used for last request
May  8 04:45:51 Radius result is CLIENT_REQ_STATUS_SUCCESS
May  8 04:45:51 Vendor-Id: 0 Attribute Type:Reply-Message(18) Value:string-type  Length:38
May  8 04:45:51 authd_radius_parse_message:generic-type:18
May  8 04:45:51 Vendor-Id: 0 Attribute Type:Reply-Message(18) Value:string-type  Length:36
May  8 04:45:51 authd_radius_parse_message:generic-type:18
May  8 04:45:51 Vendor-Id: 0 Attribute Type:Reply-Message(18) Value:string-type  Length:15
May  8 04:45:51 authd_radius_parse_message:generic-type:18
May  8 04:45:51 Framework - module(radius) return: FAILURE
May  8 04:45:51 authd_advance_module_for_aaa_response_msg: result:3



Step 9.   If the issue is still not resolved after completing the above procedure, collect the information listed in KB21781- [SRX] Data Collection Checklist - Logs/data to collect for troubleshooting, along with the debugs captured above and open a technical support case with your technical support representative or with the RADIUS server vendor as required.

Related Links: