Added multiple updates via bulk update, but soon after the script was performed, devices do not appear online.
After pushing bulk update, new devices are offline, and any sockets for netconf port 4087 are not seen.
Assume you have set up your authentication such as the following:
set system authentication-order radius
This means the outbound-ssh will be sending the authentication request to the radius server.
If you are adding a device in Sky Enterprise, and you are using radius, the configlet should look like this:
set system services ssh protocol-version v2
set system services outbound-ssh client skyenterprise-ncd01 device-id jtac-SRX250-ATT-S1-r002-jtaclab secret <auto-generated secret>
set system services outbound-ssh client skyenterprise-ncd01 services netconf keep-alive retry 3 timeout 5
set system services outbound-ssh client skyenterprise-ncd01 skyent-ncd01.juniper.net port 4087 timeout 60 retry 1000
set system services outbound-ssh client skyenterprise-ncd02 device-id jtac-SRX250-ATT-S1-r002-jtaclab secret <auto-generated-secret>
set system services outbound-ssh client skyenterprise-ncd02 services netconf keep-alive retry 3 timeout 5
set system services outbound-ssh client skyenterprise-ncd02 skyent-ncd02.juniper.net port 4087 timeout 60 retry 1000
Since there is no local user specified in the configuration, the request will go out through radius, and connection to Sky Enterprise will form without a problem. However, if your configlet includes a local user name, then the authentication will be done based on local user account. If, for example, the configlet includes the following:
set system services ssh protocol-version v2
set system login user radiusskyenterprise class super-user authentication encrypted-password <encrypted-password>
set system services outbound-ssh client skyenterprise-ncd01 device-id jtac-NFX250-ATT-S1-r002-jtaclab secret <auto-generated-secret>
set system services outbound-ssh client skyenterprise-ncd01 services netconf keep-alive retry 3 timeout 5
set system services outbound-ssh client skyenterprise-ncd01 skyent-ncd01.juniper.net port 4087 timeout 60 retry 1000
set system services outbound-ssh client skyenterprise-ncd02 device-id jtac-NFX250-ATT-S1-r002-jtaclab secret <auto-generated-secret>
set system services outbound-ssh client skyenterprise-ncd02 services netconf keep-alive retry 3 timeout 5
set system services outbound-ssh client skyenterprise-ncd02 skyent-ncd02.juniper.net port 4087 timeout 60 retry 1000
Notice that this includes the user radiusskyenterprise in the configlet. This means when the outbound-ssh is attempted, it will try to authenticate via local user. In this scenario, the authentication to Sky Enterprise will fail. With the above configlet, in order for Sky Enterprise connection to be successful, make sure password order is first, then radius.
Do the following: delete system authentication-order radius set system authentication-order password set system authentication-order radius commit
The corresponding config will look like this:
system {
authentication-order [ password radius ];
}