About 6 weeks back now I thought this was going to be a quick configuration and I’d be done… this was all back before the global pandemic. Unfortunately, a few minutes turned into six week journey.
We were looking to provide our 24×7 and IT support teams with read-only access to the CLI and J-Web interfaces on our EX4300 and EX2300 switches. We were going to start with using TAC_PLUS but we would eventually integrate with our HPE/Aruba ClearPass instances down the road (authenticating against Windows Active Directory).
I quickly found out that authenticating against TACACS+ while logging in via J-Web was broken, SSH worked fine but logging in via the web browser was broken. The error, “Invalid username or password specified” would always be returned. Some quick troubleshooting showed that the switches weren’t even reaching out to the TACACS+ servers so we decided to reach out to JTAC. We were running Junos 18.2R3-S2 for the EX2300 and Junos 18.4R2-S2 for the EX4300, these were the recommended software releases for each platform at the time I started this adventure.
This past week Juniper let me know that there was a PR raised for the following;
Logging into JWEB fails with “Invalid username or password specified”, but same credentials work for SSH access to CLI when authentication-order is configured
The issue was resolved in the following software releases;
- EX4300 – Junos 18.4R3
- EX2300 – Junos 18.3R3-S1
I upgraded some switches in order to test and wouldn’t you know it.
It works!
Cheers!
Geez,
Spent like half of a day trying to resolve J-Web with TACACS issue. Was about to call JTAC but decided to google and found your post. We are running 18.4R2-S3 currently…
Thanks for posting that. Stay safe!
Sergey
I just wanted to confirm that upgrade EX4300 to Junos 18.4R3 fixed the issue.
Thanks again!