Knowledge Search


×
 

[SRX] Dynamic VPN XAUTH using LDAP

  [KB21978] Show Article Properties


Summary:

This article provides information about the configuration for authenticating dynamic VPN users, using Active Directory as the Lightweight Directory Access Protocol (LDAP) server.

Symptoms:

  • XAUTH using LDAP server for dynamic VPN users
  • IP pool configuration
Cause:

Solution:

For more information on dynamic VPN configuration, refer to KB14318 - SRX Getting Started - Configure Dynamic VPN (VPN Client).

For LDAP,  it is not necessary to change the configuration on the Active Directory (AD) server. By default, all AD servers listen on LDAP port 389 and LDAPS port 636.

The access profile configuration on SRX for LDAP is as follows:

set access profile dyn-vpn-ldap-xauth authentication-order ldap
set access profile dyn-vpn-ldap-xauth address-assignment pool dyn-vpn-pool
set access profile dyn-vpn-ldap-xauth ldap-options base-distinguished-name CN=Users,DC=firewall,DC=com (Location from were LDAP will start searching for users)

set access profile dyn-vpn-ldap-xauth ldap-options search search-filter sAMAccountName=
set access profile dyn-vpn-ldap-xauth ldap-options search admin-search distinguished-name CN=Administrator,CN=Users,DC=firewall,DC=com (User who is authorized to search the ldap tree)
set access profile dyn-vpn-ldap-xauth ldap-options search admin-search password <Administrator Password>
set access profile dyn-vpn-ldap-xauth ldap-server <AD Server IP address> port 389/636
set access firewall-authentication pass-through default-profile dyn-vpn-ldap-xauth
set access firewall-authentication web-authentication default-profile dyn-vpn-ldap-xauth

Note:  To find the user or administrator base DN, use any LDAP browser. On an Internet search engine, search for ldp.exe, which is a basic LDAP browser.

When using LDAP groups to authenticate a user, refer to KB30927 - [SRX] Example - How to configure Dynamic VPN with user grouping using external LDAP authentication

Note:  The client-group option is not supported on Dynamic-VPN until Junos 12.1X45 and later.

The IP address pool configuration is as follows (the user will be assigned the IP from this pool):

set access address-assignment pool dyn-vpn-pool family inet network <IP Network for Dynamic-VPN User>  (eg. 192.168.100.0/24)
set access address-assignment pool dyn-vpn-pool family inet range dyn-vpn-pool-range low <Starting IP address for Dynamic-VPN User>  (eg. 192.168.100.1)
set access address-assignment pool dyn-vpn-pool family inet range dyn-vpn-pool-range high <ending IP address for Dynamic-VPN User> (eg. 192.168.100.100)

Note: The IP network used for dynamic VPN users should be different from the IP network of the external interface used in the IKE configuration.

The access profile is linked to the xauth of the gateway for dynamic VPN.

      set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-ldap-xauth         

Under security > dynamic-vpn, add all the users that are going to use the dynamic VPN. The command is as follows:

set security dynamic-vpn clients all user

(For users who are going to use dynamic VPN, this will be the AD user login name for each user.)

Related Links: