Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] [SRX] XAuth for Dynamic VPN users using IAS

0

0
Article ID: KB21979 KB Last Updated: 20 Jul 2020Version: 4.0 Summary:

This article provides information about the configuration for authenticating dynamic VPN users using the IAS server. It also provides the IAS configuration and configuration details for SRX devices.

 

Symptoms:

  1. XAUTH using IAS Server for Dynamic VPN users

  2. IP Pool configuration

  3. IAS Server configuration

 

Solution:

For information on the Dynamic-VPN configuration, refer to KB14318 - SRX Getting Started - Configure Dynamic VPN (VPN Client).

You have to install IAS on the server running Active Directory (AD) or any Win2K or Win2K3 server in the AD server domain. For more information on IAS Installation, refer to Install IAS.

The following configuration is the access profile configuration on SRX for LDAP:

set access profile dyn-vpn-radius-xauth authentication-order radius
set access profile dyn-vpn-radius-xauth address-assignment pool dyn-vpn-pool
set access profile dyn-vpn-radius-xauth radius-server 10.204.115.12 port 1812
set access profile dyn-vpn-radius-xauth radius-server 10.204.115.12 secret <Secret password> (This should be same on SRX & IAS).
set access firewall-authentication pass-through default-profile dyn-vpn-radius-xauth
set access firewall-authentication web-authentication default-profile dyn-vpn-radius-xauth

The following configuration is the IP address pool configuration. Users will be given an IP address from this pool.

set access address-assignment pool dyn-vpn-pool family inet network <IP Network for Dynamic-VPN User> (eg. 192.168.100.0/24)
set access address-assignment pool dyn-vpn-pool family inet range dyn-vpn-pool-range low <Starting IP address for Dynamic-VPN User> (eg. 192.168.100.1)
set access address-assignment pool dyn-vpn-pool family inet range dyn-vpn-pool-range high <ending IP address for Dynamic-VPN User> (eg. 192.168.100.100)

Note: The IP Network used for Dynamic VPN users should be different from the IP Network of the external-interface used in the IKE configuration. Also, the ability to assign a static IP address to a specific client is not supported at this time.

Under security > dynamic-vpn, you have to add all the users that are going to use the dynamic VPN. The command is as follows:

set security dynamic-vpn clients all user <User going to use dynamic-vpn.

This will be the AD user login name for each user.

For information on the IAS configuration, refer to KB22482 - [SRX] IAS configuration.

 

Modification History:

2020/07/20: Tagged to archive article; EOL devices and old technology; content still relevant

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search