<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div>Hello,</div><div><br></div><div>I don't know why I can't make my authentication working with Juniper secure access<span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>I have a user</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>+----+----------+--------------------+------------+----+<br>| id | username | attribute | value |
op |<br>+----+----------+--------------------+------------+----+<br>| 9 | t2 | Cleartext-Password | passsecret | == |<br>+----+----------+--------------------+------------+----+<br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>Command line authentication works</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span># radtest t2 passsecret 127.0.0.1 1812 testing1234 PPP 192.168.1.1</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif;
background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>I entered the Juniper device in clients.conf</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>client mag.mydomain.com {<br> ipaddr = 192.168.1.2<br> secret = mykey<br> shortname = mag<br> require_message_authenticator =
no<br> nastype = other # localhost isn't usually a NAS...<br>}</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>I entered that same key in the Juniper secure access configuration</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0);
font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>The complete debug output is below, does anyone see something that could explain why it doesn't work ?</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>It says: </span><span>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>However, the password is good !!!<br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span><br></span></div><div style="color: rgb(0, 0, 0);
font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>rad_recv: Access-Request packet from host 192.168.1.2 port 65218, id=236, length=132<br> NAS-Identifier = "mag"<br> User-Name = "t2"<br> User-Password = "passsecret"<br> Tunnel-Client-Endpoint:0 = "192.168.1.3"<br> NAS-IP-Address = 192.168.1.2<br> NAS-Port = 0<br> Acct-Session-Id = "t2(Group XXXX)\"Sun Sep 16 01:43:02 2012\"VVZatHVK"<br># Executing section authorize
from file /etc/raddb/sites-enabled/default<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>++[digest] returns noop<br>[suffix] No '@' in User-Name = "t2", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] No EAP-Message, not doing EAP<br>++[eap] returns noop<br>[files] users: Matched entry DEFAULT at line 202<br>++[files] returns ok<br>[sql] expand: %{User-Name} -> t2<br>[sql] sql_set_user escaped user --> 't2'<br>rlm_sql (sql): Reserving sql socket id: 3<br>[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value,
op FROM radcheck WHERE username = 't2' ORDER BY id<br>rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 't2' ORDER BY id<br>[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM
radusergroup WHERE username = 't2' ORDER BY priority<br>rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 't2' ORDER BY priority<br>rlm_sql (sql): Released sql socket id: 3<br>[sql] User t2 not found<br>++[sql] returns notfound<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>++[pap] returns noop<br>ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user<br>Failed to authenticate the user.<br> expand: Host %n -> Host
192.168.1.2<br>Login incorrect: [t2/passsecret] (from client mag port 0) Host 192.168.1.2<br>Using Post-Auth-Type Reject<br># Executing group from file /etc/raddb/sites-enabled/default<br>+- entering group REJECT {...}<br>[attr_filter.access_reject] expand: %{User-Name} -> t2<br>attr_filter: Matched entry DEFAULT at line 11<br>++[attr_filter.access_reject] returns updated<br>Delaying reject of request 5 for 1 seconds<br>Going to the next request<br>Waking up in 0.9 seconds.<br>Sending delayed reject for request 5<br>Sending Access-Reject of id 236 to 192.168.1.2 port 65218<br>Waking up in 4.9 seconds.<br>Cleaning up request 5 ID 236 with timestamp +1809<br>Ready to process requests.<br></span></div></div></body></html>