Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Unable to authenticate through SBR Enterprise when enabling PrequalifyChecklist and configuring appropriate check list attributes for the Windows domain users

0

0

Article ID: KB17484 KB Last Updated: 08 Mar 2017Version: 3.0
Summary:
Unable to authenticate through SBR Enterprise when enabling PrequalifyChecklist and configuring appropriate check list attributes for the Windows domain users.
Symptoms:

I enabled PrequalifyChecklist in the WINAUTH.AUT file, restarted the Steel-Belted Radius service, and configured the Windows Domain users in SBR Administrator with the Check list attributes. However, when a specific end user attempts to authenticate, the logs display:

05/31/2010 19:26:43 Unable to find user <username> with matching password

05/31/2010 19:26:43 -----------------------------------------------------------
05/31/2010 19:26:43 Authentication Response (reject)

Solution:
Take another look at the authentication log for that specific authentication. In the example below, let's say we configured the NAS-IP-Address attribute in our Check list. The error log would display something like:

05/31/2010 19:26:43 -----------------------------------------------------------
05/31/2010 19:26:43 Determining if request is for a tunnel
05/31/2010 19:26:43 Determining if this radius should act as a proxy
05/31/2010 19:26:43 Determining user class
05/31/2010 19:26:43 Authenticating user azapata with authentication method Windows Domain User
05/31/2010 19:26:43 Missing checklist attribute NAS-IP-Address for user \\PFUNK\azapata
05/31/2010 19:26:43 Unable to find user azapata with matching password


So far SBR is telling us that there's a missing checklist attribute. After verifying that you configured that specific Check list attribute for that user in SBR Administrator, take another look at the log. This time focus on the Authentication Request (Also, known as "Access-Request") section:

05/31/2010 19:26:43 -----------------------------------------------------------
05/31/2010 19:26:43 Authentication Request
05/31/2010 19:26:43 Received From: ip=172.18.65.95 port=4571
05/31/2010 19:26:43 Packet : Code = 0x1 ID = 0x1
05/31/2010 19:26:43 Client Name = PRUEBA Dictionary Name = Radius.dct
05/31/2010 19:26:43 Vector =
05/31/2010 19:26:43 000: 8ec028a7 fac19840 b24c235d 62698166 |..(....@.L#]bi.f|
05/31/2010 19:26:43 Parsed Packet =
05/31/2010 19:26:43 User-Name : String Value = azapata
05/31/2010 19:26:43 User-Password : Value =
05/31/2010 19:26:43 000: 99d2fedf c476c05a d8b2510a b4809e9f |.....v.Z..Q.....|
05/31/2010 19:26:43 NAS-Port : Integer Value = 1
05/31/2010 19:26:43 NAS-Port-Type : Integer Value = 2
05/31/2010 19:26:43 Calling-Station-Id : String Value = 61435652914
05/31/2010 19:26:43 Called-Station-Id : String Value = RAMDOM


In a nutshell, a Check list attribute is something that SBR will check in the Authentication Request packet. The Authentication Request information is what the device acting as RADIUS Client sends to SBR. In the log above, we noticed that the device acting as RADIUS client did not send NAS-IP-Address in the authentication request packet. Therefore SBR Enterprise rejected access for that user because it failed the Check list attribute.

If you are unable to configure your device to send that specific attribute you are looking for, there's an option in SBR Enterprise to work-around this issue. In the SBR Administrator, load the section where you configure the Check list attributes. Notice that there's an option called "Default". When enabling this option in your Check list attributes editor, you are telling SBR Enterprise, in other words, to ignore the fact that the NAS-IP-Address attribute is not present in the Authentication Request packet.

This option is useful when more than one RADIUS client is configured and when more than one Check list attribute is configured.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search