We help IT Professionals succeed at work.

Radius issue

mhamer
mhamer asked
on
Hi, struggling to get any user to authenticate

basic set up
juniper box  links to radius server which links t oa gemalto server

use connects to junpier web page enters there username and Password/OTP

logs are created on the radius server so there is traffic.

Event id 12550
No connection could be made because the target machine activley refused it.

sys log
event id2 source IAS
Reason code 21
the request was rejected by a third party extention dll file

(gemalto dose have an agent running for IAs)

i do see comments like  Authentication server  = undetermined
policy name = undetermined in the event  description
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Are you looking to configure the Juniper setup for two factor authenitcation?
Can you make sure that one is working first i.e. authenticate using radius?

Presumably you used this document to configure:
http://www.gemalto.com/dwnld/5242_Gemalto_SAServer_with_Juniper_Integrate_SSL_VPN_tcm120-57381.pdf

Author

Commented:
i am making a copy of our live set up and that uses diffrent settings to the doc above.

when i configured mine via the doc it worked.

i started putting the settings back one by one , and got to the end and it still worked so bit stumped  its working.

the doc uses quite relaxed settings out live box had everything ticked.

maybe a cert issue fixed by time and ad propergating?

Author

Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for mhamer's comment http:/Q_27429485.html#37106551

for the following reason:

resolved itself  unknown reason
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Following the documentation, got the thing working.
A fixed itself, is with nothing being done other than time and reboots.

Author

Commented:
no, following the documentation interms of setting the encryption to  not encrypted and turning off all authentication types,    gets it wroking  but not how we want it to work.

i need it to be a copy of our other working box.   when using settings from that it fails we have all authentication types an dencryption enabled.

so doing it gemaltos way got it working, but was of no use to me i needed it to work our way.

putting the settings back one by one i would hope narrow the issue down. but got all the way to the end and it still worked, with  our settings in place.   looks more ike th euser cert  hadnt got down to the client when  first tried it


i am not talking install and configure just 4 radio buttons  (chap ieap etc)

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Unfortunately, I do not have eyes on what you have nor what you want to do. All your question has is that you have two pieces of equipment and you want to configure them using radius and the way you have it configured generates an error.

To know what the issue is you have to determine what is causing the rejection which you error suggests is the third party DLL by IAS.

You can have Juniper/IAS configured?

The data is encrypted between the remote USER and Juniper? Where are you trying to enforce encryption?
Commented:
The problem has gone I attempted to close the question,  

The way I have it configured on the test rig didn't work, it is configured the same as the live rig which does work.

In troubleshooting, I edited the IAS profile to remove/ relaxe the strength of encryption and methods.  This worked, but we didn't want the settings relaxed.   Hence posting the question.

A day later it worked how I wanted it to.  Hence time fixed it.  The client cert had not propagated

Author

Commented:
test rig just took a while to issue user certs, was a new user

Explore More ContentExplore courses, solutions, and other research materials related to this topic.