Customers are not able to login to Junos Space Network Management Platform after upgrading to 14.1R2.9 if they are using RADIUS/TACACS Authentication server to authenticate only.
With Space 14.1R1.9 and earlier releases, authentication servers could be configured for authentication only. Authorization was not mandatory as it was done locally within Space.
With Junos Space 14.1R2.9 authentication servers must also send authorization. If authorization is not sent from the auth servers, the user cannot login to Space and is denied access.
Two workarounds are available.
- Create and associate a profile for users on the authentication server. Once a profile is created and associated, services on the authentication server may need to be restarted.
Create a matching remote profile in Space.
Configuration document:
https://www.juniper.net/techpubs/en_US/junos-space14.1/platform/topics/task/configuration/platform-radius-server-configuring.html - Use local authentication only
Juniper has created a patch to restore Junos Space to previous versions functionality.
Please download the patch here.
14.1R2.9 Auth patch MD5SUM: 2cabcb9040fb1605a7b8f3646aa5de93
Please call JTAC to assist installing the patch.
Instructions to install patch:
- scp the patch to the Junos Space VIP node's /home/admin directory (the VIP node has eth0:0)
- Login to the Space VIP node CLI, enter the "(Debug) run shell" mode and run the following commands on the VIP node:
- cd /home/admin
- tar xzf 14.1R2-hotpatch-v3.1.tgz
- cd /home/admin/14.1R2-hotpatch-v3.1
- sh patchme.sh
The patch stops the services on all nodes in the fabric, installs the patch on all nodes and restarts the services on all nodes.
Once the services are running, you will be able to login to the Junos Space webUI.