Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

XAuth Fails when using RADIUS Server without Accounting

0

0

Article ID: KB8165 KB Last Updated: 31 Aug 2009Version: 3.0
Summary:

Configuring a VPN using XAuth, and it is using external Radius server for the authentication of users.  However, the authentication fails.  In this scenario, the authentication server is an RSA server that has Radius enabled.

Symptoms:
Symptoms & Errors:
  • XAuth authentication fails to RSA Radius server
Solution:

Beginning with ScreenOS 5.2.0 and higher, Radius Accounting requests are sent from the NetScreen to the Radius server when XAuth phase 1 IKE negotiation takes place (using Radius as an external authentication server).  This may cause some issues if the Radius server you are using either has the wrong Radius Accounting listening port configured, or is turned off.  With RSA Radius, the default is for Radius Accounting to be disabled.

In order to get XAuth authentication working, make sure you have Radius Accounting configured on the Radius server.  Also, make sure the Radius Accounting listening port matches what is configured on the NetScreen (the default is port 1646). 

To determine what port the NetScreen Radius Accounting communicates on, issue the following command:

ns5gt-> get auth settings radius accounting
RADIUS Accounting port: 1646
Action:
  None
ns5gt->

Note: Beginning with ScreenOS 6.2.0 and higher, Radius Accounting can be disabled on the firewall, eliminating the need to enable Radius Accounting on the Radius server (also beneficial if your radius server doesn't support Radius Accounting).  To disable accounting globally, the CLI command is "set xauth default accounting off".  To disable accounting per IKE gateway, the command is "set ike gateway <gateway name> xauth accounting off".

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search