Juniper Netscreen radius authentication with ACS 5.1

emnyman1027 · ‎06-03-2011

Several of my older netscreen devices only support radius authentication and I'm having trouble migrating them from ACS 4.2 to ACS 5.1. When I try to authenticate, the authentication passes in ACS but it doesn't log you into the Netscreen (you see a auth failure in the Netscreen logs). I believe that the custom attributes are not being passed from ACS to the Netscreen. The custom attribute we are trying to pass is "NS-Admin-Privilege" with type integer and a value of 2. The netscreen is setup so that the user privledges are obtained from the ACS server.

Does anyone have a setup where they are using Cisco radius authentication to authenticate Netscreen devices? If so, could you advise on how it's setup?

emnyman1027 · ‎06-13-2011

Issue resolved. We finally setup a packet capture device and monitored the ports and found that the VSA was sending a message saying "VSA too short". After comparing our setup with the old setup and then comparing it to Cisco's config, we decided to delete the VSA and restart ACS. After recreating the VSA, everything worked fine. We then tried with a second custom VSA (infoblox) and had the same failed result. We did the same process of deleting, restarting, and recreating and everything worked fine. We've come to the conclusion that something during the import from 4.2 to 5.1 corrupted the VSA config.

Ronan Kearney · ‎04-22-2013

Does anyone know how to setup the NetScreen VSA and Authorization Profile for Radius to work between ACS V5 and Juniper Netscreen. Plenty documents on how to get TACACS to work but alot of our Junipers are on the older software and dont have the TACACS option.