Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Configure Dynamic-VPN user to be authenticated by Steel-Belted Radius and assigned IP address locally by SRX

0

0

Article ID: KB20906 KB Last Updated: 24 Feb 2020Version: 3.0
Summary:
Dynamic-VPN user authenticated by Steel-Belted Radius and IP assignment locally with SRX
Symptoms:
For Dynamic VPN, some customers want the Radius server to do AAA, and the SRX to assign the IP addresses locally.

Can this work?

Our document (Dynamic VPN Configuration for Junos 10.4 - Application Note v2.1) makes it sound like Radius would have to do both AAA and IP assignment OR the SRX woulld need to do both.
Solution:
This requirement can be done on SRX as follows:

Below is a lab topology.

   Steel-Belted radius
          |          
srx220--------------------------------dyn-vpn-client pc

srx220, Steel-Belted radius and dyn-vpn-client pc are in the same LAN.
My version of srx220 is 10.4R1.9.

Have tested the scenario with Juniper Steel-Belted Radius server.
Radius authenticates the user, and then SRX220 assigns a IP address to the VPN client.


Below is a config sample:
root# show access 
profile remote_access_profile {
    authentication-order radius;
    inactive: client user1 {
        firewall-user {
            password “$ABC123"; ## SECRET-DATA
        }
    }
    address-assignment {
        pool dyn-vpn-address-pool;
    }
    radius-server {
        172.27.186.24 secret “$ABC123"; ## SECRET-DATA
    }
}
address-assignment {
    pool dyn-vpn-address-pool {
        family inet {
            network 10.10.0.0/24;
            xauth-attributes {
                primary-dns 192.168.2.2/32;
                secondary-dns 192.168.2.3/32;
            }
        }
    }
}
firewall-authentication {
    web-authentication {
        default-profile remote_access_profile;
    }
}

Modification History:

2020-02-23: Changed encrypted password to “$ABC123".

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search