Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Sky Enterprise] Adding devices with radius configured but devices appear offline

0

0

Article ID: KB35906 KB Last Updated: 19 Jun 2020Version: 1.0
Summary:

Added multiple updates via bulk update, but soon after the script was performed, devices do not appear online.

Symptoms:

After pushing bulk update, new devices are offline, and any sockets for netconf port 4087 are not seen.

Solution:

Assume you have set up your authentication such as the following:

set system authentication-order radius 

This means the outbound-ssh will be sending the authentication request to the radius server.

If you are adding a device in Sky Enterprise, and you are using radius, the configlet should look like this:

set system services ssh protocol-version v2
set system services outbound-ssh client skyenterprise-ncd01 device-id jtac-SRX250-ATT-S1-r002-jtaclab secret <auto-generated secret>
set system services outbound-ssh client skyenterprise-ncd01 services netconf keep-alive retry 3 timeout 5
set system services outbound-ssh client skyenterprise-ncd01 skyent-ncd01.juniper.net port 4087 timeout 60 retry 1000
set system services outbound-ssh client skyenterprise-ncd02 device-id jtac-SRX250-ATT-S1-r002-jtaclab secret <auto-generated-secret>
set system services outbound-ssh client skyenterprise-ncd02 services netconf keep-alive retry 3 timeout 5
set system services outbound-ssh client skyenterprise-ncd02 skyent-ncd02.juniper.net port 4087 timeout 60 retry 1000

Since there is no local user specified in the configuration, the request will go out through radius, and connection to Sky Enterprise will form without a problem. However, if your configlet includes a local user name, then the authentication will be done based on local user account.  If, for example, the configlet includes the following: set system services ssh protocol-version v2
set system login user radiusskyenterprise class super-user authentication encrypted-password <encrypted-password>
set system services outbound-ssh client skyenterprise-ncd01 device-id jtac-NFX250-ATT-S1-r002-jtaclab secret <auto-generated-secret>
set system services outbound-ssh client skyenterprise-ncd01 services netconf keep-alive retry 3 timeout 5
set system services outbound-ssh client skyenterprise-ncd01 skyent-ncd01.juniper.net port 4087 timeout 60 retry 1000
set system services outbound-ssh client skyenterprise-ncd02 device-id jtac-NFX250-ATT-S1-r002-jtaclab secret <auto-generated-secret>
set system services outbound-ssh client skyenterprise-ncd02 services netconf keep-alive retry 3 timeout 5
set system services outbound-ssh client skyenterprise-ncd02 skyent-ncd02.juniper.net port 4087 timeout 60 retry 1000

 

Notice that this includes the user radiusskyenterprise in the configlet. This means when the outbound-ssh is attempted, it will try to authenticate via local user. In this scenario, the authentication to Sky Enterprise will fail. With the above configlet, in order for Sky Enterprise connection to be successful, make sure password order is first, then radius.

Do the following: delete system authentication-order radius set system authentication-order password set system authentication-order radius commit

The corresponding config will look like this:

 system {‚Äč
     authentication-order [ password radius ];
     } 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search