Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Error “Invalid username or password specified” when trying to login to Dynamic VPN page (using Local Authentication)

0

0

Article ID: KB17420 KB Last Updated: 27 Feb 2020Version: 10.0
Summary:
This article describes the issue of the Invalid username or password specified error message being generated, when trying to logon to the Dynamic VPN page, using local authentication.

This article is a part of the Dynamic VPN Resolution Guide:  KB17220 - Resolution Guide - SRX - Troubleshoot Pulse VPN connections to SRX.

 

Symptoms:
  • When attempting to log in to the page at https://<SRX-IP> or https://<SRX-IP>/dynamic-vpn, the error 'Invalid username or password specified.' is displayed.
  • Local authentication is being used for the default web-authentication profile.


  •  
Solution:

NOTE: If you are using RADIUS authentication (where the SRX is sending an authentication request to a RADIUS server), instead refer to KB17421 - Error “Invalid username or password specified” when trying to login and download the Pulse client (using RADIUS Authentication).

This error can occur under the following conditions:

  • The username or password entered does not match what is configured in the access profile on the SRX.
  • The 'Access Configuration' (access profile) on the SRX is misconfigured.

To determine the issue, perform the following steps:
 
  1. If you have not already tried, re-enter the username and password.  Please note the username and password are case sensitive when using local authentication.
  2. If after re-entering the username and password you still receive 'Invalid username or password specified', examine the access configuration using the command show access or show access profile <profile name>.

    An example access profile with an IP pool is as follows:

    root@srx# show security dynamic-vpn
    access-profile local-user-auth-profile;
    clients {
        users {
           remote-protected-resources {
             192.198.3.0/24;
           }
           remote-exceptions {
             0.0.0.0/0;
           }
           ipsec-vpn dynvpn;
           user {
              user1;
           }
        }
    }

    root@srx: show access
    profile local-user-auth-profile {
        client user1 {
            firewall-user {
                password "$ABC123"; ## SECRET-DATA
            }
         }
         client user2 {
            firewall-user {
                 password "$ABC123": ## SECRET-DATA
            }
         }
         address-assignment {
             pool dyn-vpn-address-pool;
         }
    }
    address-assignment {
        pool dyn-vpn-address-pool {
            family inet {
                network 192.168.1.0/24;
            }
        }
    }
    firewall-authentication {
        web-authentication {
            default-profile local-user-auth-profile;
        }
    }


    When users authenticate from the page https://<SRX-IP>/dynamic-vpn/, the system will check what profile should be used based on what is listed under security -> dynamic-vpn -> access-profile. Make sure the profile listed here is the profile you intended to use.
  3. If the access profile is correct, check the authentication order. Since more than one authentication method can be specified, make sure that your authentication-order is correct. If no authentication-order statement is included, the default behavior is to use "local authentication" and then RADIUS (if a RADIUS server is defined). The authentication order can be checked using the show access command or specifically using the command show access profile <profile-name> authentication-order.
  4. If the authentication order is correct, make sure that the username entered matches a client name defined within the profile. Again remember the username is case sensitive.
  5. If the username is present and in the same case, re-enter the password using the config mode commands: 
    set access profile <profile-name> client <client-name> password <password>
    commit
  6. If at this point, if the user is still not able to authenticate, set the following authentication debug commands (config mode) on the SRX to capture all authentication debugs to a log file named 'authd' by default.
    set system processes general-authentication-service traceoptions flag all
    run clear log authd

    commit

    Have the user attempt to connect and login again and wait for the login to fail. Then check the logs once again using the operation mode command below:
    show log authd | no-more


    NOTE: After capturing the logs, make sure to deactivate traceoptions to prevent trace files from taking up storage space with "deactivate system processes general-authentication-service traceoptions".


    Review the output of the authd file. Look for the username that is unable to connect. Below are samples of the debug output that you can compare yours to.  There are 3 lines for local authentication to primarily pay attention to which indicate where the error is occurring (highlighted below).

    DEBUG OUTPUT EXAMPLE OF A BAD PASSWORD:

    May 23 01:35:26 ###################################################################
    May 23 01:35:26 ########################### AUTH REQ RCVD #########################
    May 23 01:35:26 ###################################################################
    May 23 01:35:26 Auth-FSM: Process Auth-Request for session-id:9248704806234225010
    May 23 01:35:26 Framework: Starting authentication
    May 23 01:35:26 authd_advance_module_for_aaa_request_msg: result:0
    May 23 01:35:26 Authd module start
    May 23 01:35:26 Local : authd_local_start_auth: got params profile=dynamic-vpn-users, username=MyUser
    May 23 01:35:26 Local : start authd_local_lookup
    May 23 01:35:26 Local : profile user-auth-profile found
    May 23 01:35:26 Local : client MyUser found
    May 23 01:35:26 Local : password mismatch for client MyUser

    May 23 01:35:26 authd_auth_module_start: Error in calling the radius start_auth
    May 23 01:35:26 AUTHEN - module(password) return: FAILURE
    May 23 01:35:26 Framework: auth result is 4. Performing post-auth operations
    May 23 01:35:26 Framework: result is 4.
    May 23 01:35:26 authd_auth_send_answer: conn is 101a780 result is 4, cookie=6 sub-id=9248704806234225010 rply_len=28 num_tlv_blocks=0
    May 23 01:35:26 authd_auth_aaa_msg_destroyauth_aaa_msg: 0xe0006c
    May 23 01:35:26 authd_write_conn: response is 0x101a7dc, total len is 28 and sent is 0
    May 23 01:35:26 authd_write_conn: response is 0x101a7dc, wrote 28 bytes



    DEBUG OUTPUT EXAMPLE OF a Username not matched (Again note case sensitivity):

    May 23 02:17:32 ###################################################################
    May 23 02:17:32 ########################### AUTH REQ RCVD #########################
    May 23 02:17:32 ###################################################################
    May 23 02:17:32 Auth-FSM: Process Auth-Request for session-id:9248704814823564895
    May 23 02:17:32 Framework: Starting authentication
    May 23 02:17:32 authd_advance_module_for_aaa_request_msg: result:0
    May 23 02:17:32 Authd module start
    May 23 02:17:32 Local : authd_local_start_auth: got params profile=dynamic-vpn-users, username=MYUSER
    May 23 02:17:32 Local : start authd_local_lookup
    May 23 02:17:32 Local : profile user-auth-profile found
    May 23 02:17:32 Local : client MYUSER NOT found
    << Note that the Username is case sensitive
    May 23 02:17:32 authd_auth_module_start: Error in calling the radius start_auth
    May 23 02:17:32 AUTHEN - module(password) return: FAILURE
    May 23 02:17:32 Framework: auth result is 4. Performing post-auth operations
    May 23 02:17:32 Framework: result is 4.
    May 23 02:17:32 authd_auth_send_answer: conn is 101a780 result is 4, cookie=8 sub-id=9248704814823564895 rply_len=28 num_tlv_blocks=0
    May 23 02:17:32 authd_auth_aaa_msg_destroyauth_aaa_msg: 0xe0006c
    May 23 02:17:32 authd_write_conn: response is 0x101a7dc, total len is 28 and sent is 0
    May 23 02:17:32 authd_write_conn: response is 0x101a7dc, wrote 28 bytes



    DEBUG OUTPUT EXAMPLE OF A SUCCESSFUL AUTHENTICATION, i.e. username and password matched:

    May 23 00:46:41 ###################################################################
    May 23 00:46:41 ########################### AUTH REQ RCVD #########################
    May 23 00:46:41 ###################################################################
    May 23 00:46:41 Auth-FSM: Process Auth-Request for session-id:9248704797644257541
    May 23 00:46:41 Framework: Starting authentication
    May 23 00:46:41 authd_advance_module_for_aaa_request_msg: result:0
    May 23 00:46:41 Authd module start
    May 23 00:46:41 Local : authd_local_start_auth: got params profile=dynamic-vpn-users, username=MyUser
    May 23 00:46:41 Local : start authd_local_lookup
    May 23 00:46:41 Local : profile user-auth-profile found
    May 23 00:46:41 Local : client MyUser found
    May 23 00:46:41 Local : passwords matched

    May 23 00:46:41 authd_auth_module_start: Error in calling the radius start_auth
    May 23 00:46:41 AUTHEN - module(password) return: SUCCESS
    May 23 00:46:41 Framework: auth result is 1. Performing post-auth operations
    May 23 00:46:41 (authd_update_session_options) num_tlv_blocks:0
    May 23 00:46:41 Framework: Initialising response list
    May 23 00:46:41 Framework: Updating session timeout (9999999) in response for user 'MyUser' from profile 'dynamic-vpn-users'
    May 23 00:46:41 Framework: Updating idle timeout (10) in response for user 'MyUser' from profile 'dynamic-vpn-users'
    May 23 00:46:41 Framework: length of first client-group if already present = 0
    May 23 00:46:41 Framework: result is 1.
    May 23 00:46:41 authd_auth_send_answer: conn is 101a780 result is 1, cookie=4 sub-id=9248704797644257541 rply_len=2944 num_tlv_blocks=2
    May 23 00:46:41 authd_auth_send_answer,tlv_begin:101d120 tot_tlv_buf_len:16 num_tlv_blocks:2
    May 23 00:46:41 sess_timeout: 9999999
    May 23 00:46:41 idle_timeout: 10
    May 23 00:46:41 authd_auth_send_answer, rply_len:2960
    May 23 00:46:41 authd_auth_send_answer: conn is 101a780 response is 1021000 result is 1, cookie = 4 rply_len:2960 num_tlv_block = 2
    May 23 00:46:41 authd_auth_aaa_msg_destroyauth_aaa_msg: 0xe0006c
    May 23 00:46:41 authd_write_conn: response is 0x101a7dc, total len is 2960 and sent is 0
    May 23 00:46:41 authd_write_conn: response is 0x101a7dc, wrote 2960 bytes
  7. If the problem is still not resolved after completing the steps above, collect the information listed in KB21781 - [SRX] Data Collection Checklist - Logs/data to collect for troubleshooting, along with the debugs captured above, and open a technical support case with your technical support representative.
Modification History:
2020-02-27: minor non-technical edits.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search