Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Radius Authentication Using Domain Name Stripping

0

0

Article ID: KB7837 KB Last Updated: 11 Aug 2010Version: 3.0
Summary:
XAuth VPN using external authentication with Radius server.
Symptoms:
Radius request does not get sent
Solution:

Beginning with ScreenOS 5.2.0, you can specify on the Juniper Firewall to strip all characters with a domain name preceded by a separator character.  This allows an administrator to specify a standard, like SMTP addresses, for usernames, and still be able to send just the username portion of the SMTP address without explicitly telling users to only specify their username.

For example, assume you have the following configuration:

set auth-server "1.1.1.1" username separator "@" number 1
set auth-server "1.1.1.1" username domain "juniper.net"

When a user enters joe@juniper.net, the Firewall will strip off @juniper.net for the auth request.  Only "joe" will be sent to the radius server.

However, if a user only enters "joe", the debug auth all will show the following debug messages:

## 10:53:53 : auth_ext: domain name in username joe is joe, in auth server 1.1.1.1
## 10:53:53 : auth_ext: domain name in username joe is joe, in auth server 1.1.1.1, DOESN'T MATCH

Workaround: Either specify the entire SMTP address in the username field, or remove the username separator and username domain fields from the auth field in the WebUI.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search