This article describes the issue of TACACS+ or TACPLUS authentication not being supported by J-Web login.
- When TACPLUS configured in SRX, SSH can login without any issues; but J-Web can login at times, however it also fails at times.
- In the case of TACPLUS login failure with J-Web, the following error message is generated in the message log:
123checklogin[81632]: warning: can't get client address: Bad file descriptor checklogin[81632]:rad_send_request: No valid RADIUS responses received checklogin[81632]: WEB_AUTH_FAIL:Unable to authenticate httpd client (username lab)
This issue might be due to the TACPLUS server returning the TACACS+ Authentication response packet with the server message that has either password or Password mentioned in it. Based on JTAC testing in 11.4R6 and 12.1R4, if password or Password is mentioned in the server message, SRX fails to proceed to authentication in J-Web.
The following image illustrates the decrypted TACACS Authentication response with the Enter your Domain Password server message, which is 28 in length:
If the server message is password or Password, SRX can proceed to authentication in J-Web. The following image illustrates the decrypted TACACS Authentication
Response with the Server message as Password:
Note: This issue does not occur with SSH, as J-Web triggers a login script that checks the server message in the TACACS Authentication response.
Currently, J-Web login does not support TACPLUS authentication. As a workaround, use local authentication for J-Web login.
Leave a Reply