General discussion
-
Topic
-
Juniper Firewall 5XP + IAS Radius 2003 server
LockedHi All,
Required Solution: Customer has a wireless LAN that requires users to be authenticated using a RADIUS server rather than using the basic and limited authentication service provided on the firewall itself. Its requested that the users do not need to join a domain and just need to provide login username and password when they wan’t to surf the web and the company guest intranet.
Test LAB:
1x 2003 server install with AD, IAS and DNS service installed.
Juniper 5xp firewall
Laptop clientI have configured the juniper 5xp firewall to point towards my preset IAS RADIUS server. I have setup a firewall policy on the firewall that allows users of my trusted zone to have http,https and dns outgoing traffic to my untrust zone. This policy is setup to use authentication and points towards my IAS RADIUS server, I have also set it up to authenticate for an external user group which I have named Domain Computers (im not sure if this step is required).
Ok, onto my IAS setup. I have configured my RADIUS client as my firewall and set the Client Vendor as RADIUS Standard. I have set the shared secret the same as the shared secret on the 5xp firewall. I then setup a remote access policy and set the “type” as VPN and then placed the domain users and domain computers into the group match for the policy. I set the policy up to use PAP authentication because after reading juniper knowledge base documentation apparently only PAP is supported when configuring an IAS RADIUS auth setup. I set the EAP type as Smart Card or certificate. I have already issued a certificate using a 3rd party application for the IAS server to use.
I have created a few test AD accounts and also I have raised the domain native level to 2003. And selected use the remote access policy for the three test users.
Ok, thats my setup, to my limited knowledge regarding IAS and RADIUS I think I have thought of every step. Now, as a test i connect my laptop to trust network and open up internet explorer and to my joy I get a window asking for authentication. So I put in the login details of one of the AD users that I had created. So for example username: test password: test. Now, if i check the event viewer i get IAS logs, which to me so far is a good thing…the error returned is reason code=48 Reason= The connection attempt did not match any remote access policy. So I double check the remote access policy to make sure that domain users and computers are selected. To my understanding any computer thats connected to the network is part of the domain computers group, whether or not the client is logged into the domain.
Now after hours and hours of testing and rebuilding everything and reading link after link after link, im well stuck. Because now I have no other methods of troubleshooting, im pretty much out of ideas.
Can anyone out there help me PLEASE???
Kind Regards,
MP