This article provides information about the configuration for authenticating dynamic VPN users using the IAS server. It also provides the IAS configuration and configuration details for SRX devices.
For information on the Dynamic-VPN configuration, refer to KB14318 - SRX Getting Started - Configure Dynamic VPN (VPN Client).
You have to install IAS on the server running Active Directory (AD) or any Win2K or Win2K3 server in the AD server domain. For more information on IAS Installation, refer to Install IAS.
The following configuration is the access profile configuration on SRX for LDAP:
set access profile dyn-vpn-radius-xauth authentication-order radius
set access profile dyn-vpn-radius-xauth address-assignment pool dyn-vpn-pool
set access profile dyn-vpn-radius-xauth radius-server 10.204.115.12 port 1812
set access profile dyn-vpn-radius-xauth radius-server 10.204.115.12 secret <Secret password> (This should be same on SRX & IAS).
set access firewall-authentication pass-through default-profile dyn-vpn-radius-xauth
set access firewall-authentication web-authentication default-profile dyn-vpn-radius-xauth
The following configuration is the IP address pool configuration. Users will be given an IP address from this pool.
set access address-assignment pool dyn-vpn-pool family inet network <IP Network for Dynamic-VPN User> (eg. 192.168.100.0/24)
set access address-assignment pool dyn-vpn-pool family inet range dyn-vpn-pool-range low <Starting IP address for Dynamic-VPN User> (eg. 192.168.100.1)
set access address-assignment pool dyn-vpn-pool family inet range dyn-vpn-pool-range high <ending IP address for Dynamic-VPN User> (eg. 192.168.100.100)
Note: The IP Network used for Dynamic VPN users should be different from the IP Network of the external-interface used in the IKE configuration. Also, the ability to assign a static IP address to a specific client is not supported at this time.
Under security > dynamic-vpn, you have to add all the users that are going to use the dynamic VPN. The command is as follows:
set security dynamic-vpn clients all user <User going to use dynamic-vpn
.
This will be the AD user login name for each user.
For information on the IAS configuration, refer to KB22482 - [SRX] IAS configuration.
2020/07/20: Tagged to archive article; EOL devices and old technology; content still relevant