We have a working Windows 2012R2 NPS server running our wireless network at the moment and I want to add the juniper devices to it. EX4200 and EX2200 mostly. I have the following config changes successfully setup:
set system authentication-order [ radius password ]
set system radius-server 10.10.10.1 secret "XXXXXXXXXXxxxxxxxxXXXXXXXXXXX"
set system radius-server 10.10.10.1 timeout 3
set system radius-server 10.10.10.1 retry 3
set system radius-server 10.10.10.1 source-address 10.3.0.1
set system radius-options password-protocol mschap-v2
set system services ssh
set system login user SU class super-user
set system login user SU full-name "Default RADUIS admin access template"
set system login user OP class operator
set system login user OP full-name "Default RADUIS operater access template"
set system login user RO class read-only
set system login user RO full-name "Default RADUIS read-only access template"
I have setup the clients, connection request, and network policies largely based on info from:
https://www.27partners.com/2012/08/linking-junos-authentication-to-active-directory-using-radius/
http://cooperlees.com/blog/?p=419
I have had Juniper support remoted in on three seperate occasions and it seems I have them stumped at this point. Default log messages is as follows:
sshd[2120]: rad_send_request: Invalid RADIUS response received
sshd: SSHD_LOGIN_FAILED: Login failed for user 'twinkie' from host '10.10.100.1'
sshd[2120]: Failed password for twinkie from 10.10.100.1 port 50402 ssh2
sshd[2120]: rad_send_request: Invalid RADIUS response received
But If I watch the traffic on theoutbound interface I get the following:
10:56:00.522837 Out IP 10.3.0.1.50799 > 10.10.10.1.1812: RADIUS, Access Request (1), id: 0x60 length: 147
10:56:00.530532 In IP 10.10.10.1.1812 > 10.3.0.1.50799: RADIUS, Access Accept (2), id: 0x60 length: 268
10:56:03.725552 Out IP 10.3.0.1.52820 > 10.10.10.1.1812: RADIUS, Access Request (1), id: 0x68 length: 147
10:56:03.733727 In IP 10.10.10.1.1812 > 10.3.0.1.52820: RADIUS, Access Accept (2), id: 0x68 length: 268
10:56:11.915495 Out IP 10.3.0.1.56512 > 10.10.10.1.1812: RADIUS, Access Request (1), id: 0xae length: 147
10:56:11.923945 In IP 10.10.10.1.1812 > 10.3.0.1.56512: RADIUS, Access Accept (2), id: 0xae length: 268
Logs in the Radius server show full-access with successful login. PIng tests between all is good and no firewall/filters anywhere in this setup. We checked and triple checked the vendor code in the Radius setup. No joy.
Basically, from what I can tell at this point, everything is working but the switch is waiting for 'something' from the Windows Server and not getting it. Or not understanding it. Does anyone have a working Windows 2012R2 setup? I would like to compare the setup if possible.
Thanks,
Todd