Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Dynamic VPN XAUTH using LDAP

0

0

Article ID: KB21978 KB Last Updated: 05 Mar 2017Version: 8.0
Summary:

This article provides information about the configuration for authenticating dynamic VPN users, using Active Directory as the Lightweight Directory Access Protocol (LDAP) server.

Symptoms:

  • XAUTH using LDAP server for dynamic VPN users
  • IP pool configuration
Cause:

Solution:

For more information on dynamic VPN configuration, refer to KB14318 - SRX Getting Started - Configure Dynamic VPN (VPN Client).

For LDAP,  it is not necessary to change the configuration on the Active Directory (AD) server. By default, all AD servers listen on LDAP port 389 and LDAPS port 636.

The access profile configuration on SRX for LDAP is as follows:

set access profile dyn-vpn-ldap-xauth authentication-order ldap
set access profile dyn-vpn-ldap-xauth address-assignment pool dyn-vpn-pool
set access profile dyn-vpn-ldap-xauth ldap-options base-distinguished-name CN=Users,DC=firewall,DC=com (Location from were LDAP will start searching for users)

set access profile dyn-vpn-ldap-xauth ldap-options search search-filter sAMAccountName=
set access profile dyn-vpn-ldap-xauth ldap-options search admin-search distinguished-name CN=Administrator,CN=Users,DC=firewall,DC=com (User who is authorized to search the ldap tree)
set access profile dyn-vpn-ldap-xauth ldap-options search admin-search password <Administrator Password>
set access profile dyn-vpn-ldap-xauth ldap-server <AD Server IP address> port 389/636
set access firewall-authentication pass-through default-profile dyn-vpn-ldap-xauth
set access firewall-authentication web-authentication default-profile dyn-vpn-ldap-xauth

Note:  To find the user or administrator base DN, use any LDAP browser. On an Internet search engine, search for ldp.exe, which is a basic LDAP browser.

When using LDAP groups to authenticate a user, refer to KB30927 - [SRX] Example - How to configure Dynamic VPN with user grouping using external LDAP authentication

Note:  The client-group option is not supported on Dynamic-VPN until Junos 12.1X45 and later.

The IP address pool configuration is as follows (the user will be assigned the IP from this pool):

set access address-assignment pool dyn-vpn-pool family inet network <IP Network for Dynamic-VPN User>  (eg. 192.168.100.0/24)
set access address-assignment pool dyn-vpn-pool family inet range dyn-vpn-pool-range low <Starting IP address for Dynamic-VPN User>  (eg. 192.168.100.1)
set access address-assignment pool dyn-vpn-pool family inet range dyn-vpn-pool-range high <ending IP address for Dynamic-VPN User> (eg. 192.168.100.100)

Note: The IP network used for dynamic VPN users should be different from the IP network of the external interface used in the IKE configuration.

The access profile is linked to the xauth of the gateway for dynamic VPN.

      set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-ldap-xauth         

Under security > dynamic-vpn, add all the users that are going to use the dynamic VPN. The command is as follows:

set security dynamic-vpn clients all user

(For users who are going to use dynamic VPN, this will be the AD user login name for each user.)

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search