Discussions

Juniper Firewall 5XP + IAS Radius 2003 server

Tags:
+
0 Votes
Locked

Juniper Firewall 5XP + IAS Radius 2003 server

mark.pashby
Hi All,

Required Solution: Customer has a wireless LAN that requires users to be authenticated using a RADIUS server rather than using the basic and limited authentication service provided on the firewall itself. Its requested that the users do not need to join a domain and just need to provide login username and password when they wan't to surf the web and the company guest intranet.

Test LAB:

1x 2003 server install with AD, IAS and DNS service installed.
Juniper 5xp firewall
Laptop client

I have configured the juniper 5xp firewall to point towards my preset IAS RADIUS server. I have setup a firewall policy on the firewall that allows users of my trusted zone to have http,https and dns outgoing traffic to my untrust zone. This policy is setup to use authentication and points towards my IAS RADIUS server, I have also set it up to authenticate for an external user group which I have named Domain Computers (im not sure if this step is required).

Ok, onto my IAS setup. I have configured my RADIUS client as my firewall and set the Client Vendor as RADIUS Standard. I have set the shared secret the same as the shared secret on the 5xp firewall. I then setup a remote access policy and set the "type" as VPN and then placed the domain users and domain computers into the group match for the policy. I set the policy up to use PAP authentication because after reading juniper knowledge base documentation apparently only PAP is supported when configuring an IAS RADIUS auth setup. I set the EAP type as Smart Card or certificate. I have already issued a certificate using a 3rd party application for the IAS server to use.

I have created a few test AD accounts and also I have raised the domain native level to 2003. And selected use the remote access policy for the three test users.

Ok, thats my setup, to my limited knowledge regarding IAS and RADIUS I think I have thought of every step. Now, as a test i connect my laptop to trust network and open up internet explorer and to my joy I get a window asking for authentication. So I put in the login details of one of the AD users that I had created. So for example username: test password: test. Now, if i check the event viewer i get IAS logs, which to me so far is a good thing...the error returned is reason code=48 Reason= The connection attempt did not match any remote access policy. So I double check the remote access policy to make sure that domain users and computers are selected. To my understanding any computer thats connected to the network is part of the domain computers group, whether or not the client is logged into the domain.

Now after hours and hours of testing and rebuilding everything and reading link after link after link, im well stuck. Because now I have no other methods of troubleshooting, im pretty much out of ideas.

Can anyone out there help me PLEASE???

Kind Regards,

MP
  • +
    0 Votes
    deepsand

    Suggest that you try the "Questions" forum.
    The "Discussion" forum is for matters of general discussion, not specific problems in search of a solution.

    Post problems such as this to the "Question" forum, rather than the "Discussion" forum. There are those who specifically seek out problems in need of a solution, and that's where they go to look for such.

    Additionally there are the benefits that:

    1) The "Questions" forum provides for your feedback, by way of your being able to mark "helpful" responses as such. This does not necessarily mean that a given response contained the complete solution to your problem, but only that it served to guide you toward it. This is intended to serve as an aid to those who may in the future have a problem similar to yours, so that they might have a ready source of reference available, thereby perhaps obviating the need for them to repeat questions previously asked and answered.

    2) The revised TR makes it quite difficult to find both "Discussions" and "Questions" that have not had a fairly recent post, owing to some functions comingling them in the listings. By keeping each type in their respective forums, it is easier for all to find what they are seeking.

    +
    0 Votes
    neill71

    Do a search for ns10315.pdf on Juniper site
    its a step by step how to

  • +
    0 Votes
    deepsand

    Suggest that you try the "Questions" forum.
    The "Discussion" forum is for matters of general discussion, not specific problems in search of a solution.

    Post problems such as this to the "Question" forum, rather than the "Discussion" forum. There are those who specifically seek out problems in need of a solution, and that's where they go to look for such.

    Additionally there are the benefits that:

    1) The "Questions" forum provides for your feedback, by way of your being able to mark "helpful" responses as such. This does not necessarily mean that a given response contained the complete solution to your problem, but only that it served to guide you toward it. This is intended to serve as an aid to those who may in the future have a problem similar to yours, so that they might have a ready source of reference available, thereby perhaps obviating the need for them to repeat questions previously asked and answered.

    2) The revised TR makes it quite difficult to find both "Discussions" and "Questions" that have not had a fairly recent post, owing to some functions comingling them in the listings. By keeping each type in their respective forums, it is easier for all to find what they are seeking.

    +
    0 Votes
    neill71

    Do a search for ns10315.pdf on Juniper site
    its a step by step how to