Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1656
Views
5
Helpful
4
Replies

is there a relatively easy way to enable the Juniper Radius dictionary in ISE 2.2?

Go to solution
David Bird
Level 1
Level 1

‎07-12-2018 01:37 PM

I have set up a pretty wide open policy set for some Juniper firewalls, and it is allowing the authentication in ISE, but the same auth still fails on the Junipers. Any ideas?

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-14-2018 10:01 AM

Assuming you meant the auth records in ISE showing passing, then please debug on the Juniper side and seek support from Juniper. I found a couple of articles on the net might be of help:

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Craig Hyps
Level 10
Level 10

‎07-12-2018 03:04 PM

Question is not clear since stated "it is allowing the authentication in ISE, but the same auth still fails on the Junipers".  Is auth working for some but not other devices, or all auth from Juniper is failing?   The failure reason (details under red log entry in RADIUS Live Logs) should indicate failure reason.

Juniper RADIUS dictionary is loaded by default in ISE.  If hitting correct policy and ISE states auth success, then expect that Juniper FW is rejecting the authorization response.  You can verify what is sent in Live Log details. You can also select Juniper-specific authorizations by selecting the Advanced Attributes and picking the Juniper RADIUS dictionary.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-14-2018 10:01 AM

Assuming you meant the auth records in ISE showing passing, then please debug on the Juniper side and seek support from Juniper. I found a couple of articles on the net might be of help:

0 Helpful

Go to solution
Catalin Ciubotariu
Level 1
Level 1
In response to hslai

‎11-07-2019 07:19 AM

It's a bit odd that after my post the question was solved with an old post. David?

0 Helpful

Go to solution
Catalin Ciubotariu
Level 1
Level 1

‎11-07-2019 04:25 AM

Hi David,

How did you solved this?

I have the same issue with one SRX and one vSRX, both on version 15. I have other similar devices running similar versions, and with those I'm successful.

In ISE logs, RADIUS access-accept is returned but the authentication on the device is 'access denied'. I already read the material posted here and other resources. I did the debug on Junipers (traceoptions) and all my ideas are exhausted now. I have to surrender and open a case with Juniper.

Your feedback will be much appreciated.

Thanks,

Catalin

Customers Also Viewed These Support Documents