Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Error “Invalid username or password specified” when trying to login and download the Pulse client (using RADIUS Authentication)

0

0

Article ID: KB17421 KB Last Updated: 21 Feb 2020Version: 5.0
Summary:

This article describes the issue of the Invalid username or password specified error message being generated, when trying to logon to the Dynamic VPN page, using Radius based authentication.

This article is a part of the Dynamic VPN Resolution Guide:  KB17220 - Resolution Guide - SRX - Troubleshoot Pulse VPN connections to SRX.
 
Symptoms:

Symptoms:

  • When attempting to log in to the page at https://<SRX-IP> or https://<SRX-IP>/dynamic-vpn, the error 'Invalid username or password specified.' is displayed as follows:

Solution:

NOTE:  If you are using local authentication (where the SRX is authenticating and assigning the IP addresses), instead refer to KB17420 - [Dynamic VPN] Error “Invalid username or password specified” when trying to login to Dynamic VPN page (using Local Authentication).

The 'Invalid username or password specified' error can occur under the following conditions:

  • Username or password was not typed in correctly
  • The username or password entered does not match the username and password configured on the RADIUS server.
  • An incorrect shared secret is specified for SRX to Radius connection
  • The RADIUS server may not be accepting PAP authentications.
  • The RADIUS server may not be reachable.
  • The RADIUS server may be imposing an authentication restriction which we do not meet.
To determine the issue, perform the following steps:
  1. If you have not already tried, re-enter the username and password.  The username may be case sensitive, depending on the RADIUS server.
  2. If after re-entering the username and password, you still receive 'Invalid username or password specified', examine the access configuration on the SRX using the command show access or show access profile <profile>.  An example access profile is as follows:
    root@srx# show security dynamic-vpn
    access-profile radius-auth;
    clients {
        users {
           remote-protected-resources {
              192.168.3.0/24;
           }
           remote-exceptions {
              0.0.0.0/0;
           }
           ipsec-vpn dynvpn;
           user {
              user1;
           }
       }
    }


    root@srx#  show access
    profile radius-auth {
         authentication-order radius;
         radius-server {
             172.30.73.206 secret "$ABC123"; ## SECRET-DATA
         }
    }
    firewall-authentication {
        web-authentication {
            default-profile radius-auth;
        }
    }



     
    When users authenticate from the page https://<SRX-IP>/dynamic-vpn/, the system will check what profile should be used based on what is listed under security -> dynamic-vpn -> access-profile.  Make sure the profile listed here is the profile you intended to use.
     
  3. If the access profile is correct, check the authentication order. Since more than one authentication method can be specified, make sure that your authentication-order is correct. If no authentication-order statement is included, the default behavior is to use local and then RADIUS (if a RADIUS server is defined). We can check the authentication order using the show access output or specifically using the command show access profile <profile-name> authentication-order.  Below is an example of a profile with the authentication order set to only use RADIUS authentication:
    root@srx# show access profile user-auth-profile authentication-order radius;
  4. If the authentication order is correct, check the RADIUS server reachability from the SRX. Also make sure that the ports that the RADIUS server uses are allowed through any firewalls which might be between the RADIUS server and the SRX. 
  5. Review the debug logs on the RADIUS server.  Common items to review:
    • Do you see the request coming from the SRX for the user in question?
    • Is the SRX allowed as a Radius-Client
    • Is the user credentials reported as accepted in radius logs?


    If you cannot determine the problem, then continue with Step 6.
  6. If at this point, the user is still not able to authenticate, set the following debug commands on the SRX to capture all authentication debugs to the file named 'auth-debug':
    user@srx# set system processes general-authentication-service traceoptions flag all
    user@srx# run clear log authd
    user@srx# commit


    [Have user attempt to connect and login again]

    user@srx> show log authd
  7. Review the output of the auth-debug file.  Below are some sample authd traceoptions outputs of common errors that you can compare yours to.  Pay attention to the highlighted lines which will indicate where the error is occurring.
    • Look for the username that is unable to connect.
    • Is the RADIUS server indicating a reason that the authentication is not being accepted
    • Is the RADIUS Access-Request packet arriving at the server (e.g. server is reachable from the SRX).
    • Does the RADIUS server have a route back to the SRX?
    • Does the RADIUS server accept PAP authentications?
    • Are other restrictions (rules, checklists, etc) preventing authentication from being sucsessful?

    A good authentication with the Framed-IP-Address, Framed-IP-Netmask, Juniper-Primary-Dns, Juniper- Secondary-Dns, Juniper -Primary-Wins, and Juniper-Secondary-Wins attributes being returned (key lines highlighted):

    DEBUG OUTPUT EXAMPLE OF A SUCCESSFUL AUTHENTICATION, i.e. username and password matched:
    May 23 05:10:17 ###################################################################
    May 23 05:10:17 ########################### AUTH REQ RCVD #########################
    May 23 05:10:17 ###################################################################
    May 23 05:10:17 Auth-FSM: Process Auth-Request for session- id:9248704819118623215
    May 23 05:10:17 Framework: Starting authentication
    May 23 05:10:17 authd_advance_module_for_aaa_request_msg: result:0
    May 23 05:10:17 Authd module start
    May 23 05:10:17 authd_radius_start_auth: Starting RADIUS authentication
    May 23 05:10:17 authd_radius_build_basic_auth_request: got params profile=dynamic-vpn-users, username=user2
    May 23 05:10:17 AUTHEN - module(radius) return: ASYNC
    May 23 05:10:17 RADIUS server 172.18.66.10:1812 was used for last request
    May 23 05:10:17 Radius result is CLIENT_REQ_STATUS_SUCCESS
    May 23 05:10:17 Vendor-Id: 0 Attribute Type:Class(25) Value:string-type Length:53
    May 23 05:10:17 authd_radius_parse_message:generic-type:25
    May 23 05:10:17 authd_radius_parse_message:generic-type:8
    May 23 05:10:17 authd_radius_parse_message:juniper type:31
    May 23 05:10:17 authd_radius_parse_message:juniper type:32
    May 23 05:10:17 authd_radius_parse_message:juniper type:33
    May 23 05:10:17 authd_radius_parse_message:juniper type:34
    May 23 05:10:17 Framework - module(radius) return: SUCCESS

    May 23 05:10:17 authd_advance_module_for_aaa_response_msg: result:2
    May 23 05:10:17 ../../../../../src/junos/usr.sbin/authd/aaa- service/authd_aaa_service.cc:2236 Failed to get SDB snapshot for session- id:9248704819118623215 sdb_status: <Error:libjuniper++ class=2, code=1>
    May 23 05:10:17 ../../../../../src/junos/usr.sbin/authd/aaa- service/authd_aaa_astable.cc:1048 Could not take fresh SDB snapshot for session -id:9248704819118623215
    May 23 05:10:17 AuthFsm::current state=AuthInit(16777216) event=11 astEntry=0xf0106c
    May 23 05:10:17 Auth-FSM: Process Auth-Response for session- id:9248704819118623215 and client type auth-lite
    May 23 05:10:17 Framework: auth result is 1. Performing post-auth operations
    May 23 05:10:17 (authd_update_session_options) num_tlv_blocks:6
    May 23 05:10:17 Framework: Updating session timeout (9999999) in response for user 'user2' from profile 'dynamic-vpn-users'
    May 23 05:10:17 Framework: Updating idle timeout (10) in response for user 'user2' from profile 'dynamic-vpn-users'
    May 23 05:10:17 Framework: length of first client-group if already present = 0
    May 23 05:10:17 Framework: result is 1.
    May 23 05:10:17 authd_auth_send_answer: conn is 101a780 result is 1, cookie=9 sub-id=9248704819118623215 rply_len=2944 num_tlv_blocks=8
    May 23 05:10:17 authd_auth_send_answer,tlv_begin:1025480 tot_tlv_buf_len:113 num_tlv_blocks:8
    May 23 05:10:17 class len:53 class:SBR2CL¬×Àǹ´Â"¡È ;ÔòЬ×Àǹ´Â

    May 23 05:10:17 sess_timeout: 9999999
    May 23 05:10:17 idle_timeout: 10
    May 23 05:10:17 authd_auth_send_answer, rply_len:3057
    May 23 05:10:17 authd_auth_send_answer: conn is 101a780 response is 1029000 result is 1, cookie = 9 rply_len:3057 num_tlv_block = 8
    May 23 05:10:17 ###################################################################
    May 23 05:10:17 ######################### AUTH REQ ACK SENT #######################
    May 23 05:10:17 ###################################################################
    May 23 05:10:17 authd_auth_aaa_msg_destroyauth_aaa_msg: 0xe0006c
    May 23 05:10:17 authd_write_conn: response is 0x101a7dc, total len is 3057 and sent is 0
    May 23 05:10:17 authd_write_conn: response is 0x101a7dc, wrote 3057 bytes



    DEBUG OUTPUT EXAMPLE OF A BAD PASSWORD:
    May 23 05:20:34 ###################################################################
    May 23 05:20:34 ########################### AUTH REQ RCVD #########################
    May 23 05:20:34 ###################################################################
    May 23 05:20:34 Auth-FSM: Process Auth-Request for session- id:9248704827708995451
    May 23 05:20:34 Framework: Starting authentication
    May 23 05:20:34 authd_advance_module_for_aaa_request_msg: result:0
    May 23 05:20:34 Authd module start
    May 23 05:20:34 authd_radius_start_auth: Starting RADIUS authentication
    May 23 05:20:34 authd_radius_build_basic_auth_request: got params profile=dynamic-vpn-users, username=user2
    May 23 05:20:34 AUTHEN - module(radius) return: ASYNC
    May 23 05:20:34 RADIUS server 172.18.66.10:1812 was used for last request
    May 23 05:20:34 Radius result is CLIENT_REQ_STATUS_SUCCESS
    May 23 05:20:34 Vendor-Id: 0 Attribute Type:Reply-Message(18) Value:string-type Length:38
    May 23 05:20:34 authd_radius_parse_message:generic-type:18
    May 23 05:20:34 Vendor-Id: 0 Attribute Type:Reply-Message(18) Value:string-type Length:36
    May 23 05:20:34 authd_radius_parse_message:generic-type:18
    May 23 05:20:34 Vendor-Id: 0 Attribute Type:Reply-Message(18) Value:string-type Length:15
    May 23 05:20:34 authd_radius_parse_message:generic-type:18
    May 23 05:20:34 Framework - module(radius) return: FAILURE

    May 23 05:20:34 authd_advance_module_for_aaa_response_msg: result:3
    May 23 05:20:34 ../../../../../src/junos/usr.sbin/authd/aaa- service/authd_aaa_service.cc:2236 Failed to get SDB snapshot for session- id:9248704827708995451 sdb_status: <Error:libjuniper++ class=2, code=1>
    May 23 05:20:34 ../../../../../src/junos/usr.sbin/authd/aaa- service/authd_aaa_astable.cc:1048 Could not take fresh SDB snapshot for session -id:9248704827708995451
    May 23 05:20:34 AuthFsm::current state=AuthInit(16777216) event=5 astEntry=0xf0106c
    May 23 05:20:34 Auth-FSM: Post the Auth-Response and clean up. session- id:9248704827708995451
    May 23 05:20:34 Framework: auth result is 2. Performing post-auth operations
    May 23 05:20:34 Framework: result is 2.
    May 23 05:20:34 authd_auth_send_answer: conn is 101a780 result is 2, cookie=11 sub-id=9248704827708995451 rply_len=2944 num_tlv_blocks=3
    May 23 05:20:34 authd_auth_send_answer,tlv_begin:1025480 tot_tlv_buf_len:101 num_tlv_blocks:3
    May 23 05:20:34 authd_auth_send_answer, rply_len:3045
    May 23 05:20:34 authd_auth_send_answer: conn is 101a780 response is 1029000 result is 2, cookie = 11 rply_len:3045 num_tlv_block = 3
    May 23 05:20:34 authd_auth_aaa_msg_destroyauth_aaa_msg: 0xe0006c
    May 23 05:20:34 authd_write_conn: response is 0x101a7dc, total len is 3045 and sent is 0
    May 23 05:20:34 authd_write_conn: response is 0x101a7dc, wrote 3045 bytes



    DEBUG OUTPUT EXAMPLE WHEN THE RADIUS SERVER IS NOT REACHABLE OR DOES NOT RESPOND (SILENTLY DISCARDS REQUEST)
    May 23 05:55:31 ###################################################################
    May 23 05:55:31 ########################### AUTH REQ RCVD #########################
    May 23 05:55:31 ###################################################################
    May 23 05:55:31 Auth-FSM: Process Auth-Request for session- id:9248704849183741153
    May 23 05:55:31 Framework: Starting authentication
    May 23 05:55:31 authd_advance_module_for_aaa_request_msg: result:0
    May 23 05:55:31 Authd module start
    May 23 05:55:31 authd_radius_start_auth: Starting RADIUS authentication
    May 23 05:55:31 authd_radius_build_basic_auth_request: got params profile=dynamic-vpn-users, username=user2
    May 23 05:55:31 AUTHEN - module(radius) return: ASYNC
    May 23 05:55:43 RADIUS server 172.18.66.94:1812 was used for last request
    May 23 05:55:43 Radius result is CLIENT_REQ_TIMEOUT
    May 23 05:55:43 Framework - module(radius) return: SERVER

    May 23 05:55:43 authd_advance_module_for_aaa_response_msg: result:4
    May 23 05:55:43 ../../../../../src/junos/usr.sbin/authd/aaa- service/authd_aaa_service.cc:2236 Failed to get SDB snapshot for session- id:9248704849183741153 sdb_status: <Error:libjuniper++ class=2, code=1>
    May 23 05:55:43 ../../../../../src/junos/usr.sbin/authd/aaa- service/authd_aaa_astable.cc:1048 Could not take fresh SDB snapshot for session -id:9248704849183741153
    May 23 05:55:43 AuthFsm::current state=AuthInit(16777216) event=27 astEntry=0xf0106c
    May 23 05:55:43 Auth-FSM: Post the Auth-Response and clean up. session- id:9248704849183741153
    May 23 05:55:43 Framework: auth result is 5. Performing post-auth operations
    May 23 05:55:43 Framework: result is 5.
    May 23 05:55:43 authd_auth_send_answer: conn is 101a780 result is 5, cookie=16 sub-id=9248704849183741153 rply_len=28 num_tlv_blocks=0
    May 23 05:55:43 authd_auth_aaa_msg_destroyauth_aaa_msg: 0xe0006c
    May 23 05:55:43 authd_write_conn: response is 0x101a7dc, total len is 28 and sent is 0
    May 23 05:55:43 authd_write_conn: response is 0x101a7dc, wrote 28 bytes



    DEBUG OUTPUT EXAMPLE OF BAD SECRET, i.e. secret on SRX and RADIUS server does not match
    Apr 8 17:29:33 AUTHEN - module(radius) return: ASYNC
    Apr 8 17:29:45 RADIUS server 172.18.66.10:1812 was used for last
    request
    Apr 8 17:29:45 Radius : authd_radius_ mark_servers_dead: profile -
    radius-server, radius server - 172.18.66.10:1812 status set to DEAD


    If this is occurring, reset the shared secret on both the SRX and RADIUS server.  To reset the shared secret on the SRX use the command:
    root@srx# set access profile <profile-name> radius-server <radius-server-ip> secret <secret>

    Then restart the general-authentication-service process after this is committed using the operational mode command:
    root@srx> restart general-authentication-service
  8. If the problem is still not resolved after completing the steps above, collect the information listed in KB21781-[SRX]Data Collection Checklist - Logs/data to collect for troubleshooting, along with the debugs captured above, and open a case with your technical support representative or with the RADIUS server vendor as appropriate.
Modification History:
2020-02-21: minor non-technical edits.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search