Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Example - How to configure Dynamic VPN with user grouping using external LDAP authentication

0

0

Article ID: KB30927 KB Last Updated: 29 Jul 2016Version: 2.0
Summary:

This article provides an example on how to configure Dynamic VPN (DVPN) with user grouping using external LDAP authentication.

Symptoms:

The goal is to demonstrate how to configure user grouping in Dynamic VPN.

Cause:

Solution:

Begining with Junos 12.1X44-D10, DVPN with grouping is supported.

The following excerpt is from Dynamic Virtual Private Network (DVPN) Enhancement

Local User configured in SRX

When users are configured locally—When users are configured locally, they will be configured under the [access] hierarchy and arranged into groups using the already existing configuration knob client-group. This group name will then be used to look up the client configuration under the [dynamic-vpn] hierarchy for users belonging to that group. The user-groups knob under the [dynamic-vpn] hierarchy will contain the user group names.


Example: Local user and group configured under [access] and group configured under [dynamic-vpn]
set security dynamic-vpn access-profile dvpn-xauth
set security dynamic-vpn clients all remote-protected-resources 192.168.200.0/24
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn p2-dvpn
set security dynamic-vpn clients all user-groups Sales
set access profile dvpn-xauth authentication-order password
set access profile dvpn-xauth address-assignment pool d-pool
set access profile dvpn-xauth client desmond firewall-user password <DELETE>
set access profile dvpn-xauth client desmond client-group Sales
set access profile dvpn-xauth session-options client-group Sales

set access address-assignment pool d-pool family inet network 192.168.200.0/24
set access address-assignment pool d-pool family inet range d-range low 192.168.200.150
set access address-assignment pool d-pool family inet range d-range high 192.168.200.155

Users on an external LDAP server

When users are configured on an external authentication server, such as a Radius server—when users are configured remotely, they will no longer have to be configured under the [access] hierarchy. When authd authenticates a user, it will also include the client-group in the reply. This information is extracted and a matching user-group in the [dynamic-vpn] hierarchy is looked for to determine which client configuration to retrieve and return to the client for tunnel establishment.

Example: LDAP authentication configured and group configured under [dynamic-vpn]. Notice the user/group is configured under [access]

set security dynamic-vpn access-profile dvpn-xauth
set security dynamic-vpn clients all remote-protected-resources 192.168.200.0/24
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn p2-dvpn
set security dynamic-vpn clients all user-groups Sales
set access profile dvpn-xauth authentication-order ldap
set access profile dvpn-xauth address-assignment pool d-pool
set access profile dvpn-xauth ldap-options base-distinguished-name CN=Users,DC=rittal,DC=china
set access profile dvpn-xauth ldap-options search search-filter sAMAccountName=
set access profile dvpn-xauth ldap-options search admin-search distinguished-name CN=Administrator,CN=Users,DC=rittal,DC=china
set access profile dvpn-xauth ldap-options search admin-search password juniper123
set access profile dvpn-xauth ldap-server 1.1.1.1
set access address-assignment pool d-pool family inet network 192.168.200.0/24
set access address-assignment pool d-pool family inet range d-range low 192.168.200.150
set access address-assignment pool d-pool family inet range d-range high 192.168.200.155

The folowing screenshot shows user "desmond" config with group "Sales" in Microsoft LDAP Server:

Note the following for DVPN user grouping:

  • Local user grouping works beginning with Junos 12.1X44-D10
  • External LDAP Server authentication is not supported in Junos 12.1X44. It starts working from 12.1X45-D10.

The following DVPN debug shows that Group attribute in LDAP Response cannot be extracted from SRX in Junos 12.1X44:

//12.1X44
Oct 29 10:12:51 httpd gk sending DVPN LOGIN request for username (desmond) ip (172.27.6.103)
Oct 29 10:12:51 httpd_gk_mgd_connect_cb: httpd gk request for fd 6 type 3
Oct 29 10:12:51 acadia_authenticate_user: username = desmond, token = , client_identifier = df6d64acdcdaf34cab589de0391f1f4d
Oct 29 10:12:51 dvpn_username_password_authentication: username = desmond
Oct 29 10:12:51 acadia_fwauthd_authenticate: checking socket connection for write on socket 13 ...
Oct 29 10:12:51 acadia_fwauthd_check_socket: checking socket connection...
Oct 29 10:12:51 acadia_fwauthd_authenticate: sending auth request to fwauthd to socket 13
Oct 29 10:12:51 source IP: ac1b0667
Oct 29 10:12:51 acadia_fwauthd_authenticate: write to fwauthd ret=6628, errno=45

Oct 29 10:12:51 acadia_fwauthd_authenticate: checking socket connection for read on socket 13 ...
Oct 29 10:12:51 acadia_fwauthd_check_socket: checking socket connection...
Oct 29 10:12:51 acadia_fwauthd_authenticate: Waiting for response from fwauthd user desmond
Oct 29 10:12:51 source IP: ac1b0667
Oct 29 10:12:51 acadia_fwauthd_authenticate: firewall authentication completed Read 6628 bytes from fwauthd on socket 13, auth code 2, username desmond

Oct 29 10:12:51 source IP: ac1b0667
Oct 29 10:12:51 Authentication of user desmond with fwauthd successful
Oct 29 10:12:51 dvpn_username_password_authentication: fwauthd succeeded
Oct 29 10:12:51 print_group_list
Oct 29 10:12:51    ""

Oct 29 10:12:51 check_user: user does not exist
Oct 29 10:12:51 get_config_by_username: First connection for user desmond at IP 172.27.6.103
Oct 29 10:12:51 get_client_vpn_config_for_user: Looking for a config for user desmond
Oct 29 10:12:51 get_client_vpn_config_for_group: Looking for a config for usergroup
Oct 29 10:12:51 dvpn_username_password_authentication: return code from get_client_config_by_username: -1
Oct 29 10:12:51 dvpn_username_password_authentication: no user config available.
Oct 29 10:12:51 DVPN LOGIN request received for username (desmond) ip (172.27.6.103): Failed

//12.1X46
Oct 28 17:40:02 httpd gk sending DVPN LOGIN request for username (desmond) ip (172.27.6.103)
Oct 28 17:40:02 httpd_gk_mgd_connect_cb: httpd gk request for fd 12 type 3
Oct 28 17:40:02 acadia_authenticate_user: username = desmond, token = , client_identifier = df6d64acdcdaf34cab589de0391f1f4d
Oct 28 17:40:02 dvpn_username_password_authentication: username = desmond
Oct 28 17:40:02 acadia_fwauthd_authenticate: checking socket connection for write on socket 13 ...
Oct 28 17:40:02 acadia_fwauthd_check_socket: checking socket connection...
Oct 28 17:40:02 acadia_fwauthd_authenticate: sending auth request to fwauthd to socket 13
Oct 28 17:40:02 source IP: ac1b0667
Oct 28 17:40:02 acadia_fwauthd_authenticate: write to fwauthd ret=6628, errno=45

Oct 28 17:40:02 acadia_fwauthd_authenticate: checking socket connection for read on socket 13 ...
Oct 28 17:40:02 acadia_fwauthd_check_socket: checking socket connection...
Oct 28 17:40:02 acadia_fwauthd_authenticate: Waiting for response from fwauthd user desmond
Oct 28 17:40:02 source IP: ac1b0667
Oct 28 17:40:02 acadia_fwauthd_authenticate: firewall authentication completed Read 6628 bytes from fwauthd on socket 13, auth code 2, username desmond

Oct 28 17:40:02 source IP: ac1b0667
Oct 28 17:40:02 Authentication of user desmond with fwauthd successful
Oct 28 17:40:02 groups_str2list: num_groups: 1
Oct 28 17:40:02 store_groups: group_name from authd: Sales
Oct 28 17:40:02 store_groups: group_name in httpd-gk: Sales
Oct 28 17:40:02 dvpn_username_password_authentication: fwauthd succeeded
Oct 28 17:40:02 print_group_list
Oct 28 17:40:02    "Sales"

Oct 28 17:40:02 check_user: user does not exist
Oct 28 17:40:02 do_add_token: username "desmond", usergroup "Sales", ike user type = 2
Oct 28 17:40:02 find_acadia_cib_by_user: Searching CIB info for user: desmond
Oct 28 17:40:02 find_acadia_cib_by_user: Could not find cinfo for user: desmond
Oct 28 17:40:02 get_token_entry_by_ike_id: Searching token info for user connection with ike-id: 92a710db3e9471324fe0f0f299948176
Oct 28 17:40:02 get_token_entry_by_ike_id: Found token entry for user connection at 172.27.6.103 with ike id 92a710db3e9471324fe0f0f299948176
Oct 28 17:40:02 dvpn_check_license--license available
Oct 28 17:40:02 prepare_client_config: License check request sent with token_idx 0, ike-id desmonddvpn, socket 12, gk type 3
Oct 28 17:40:02 send_msg_to_gk: received license check status for token_idx 0 on socket 12 and gk type 3.

Oct 28 17:40:02 send_msg_to_gk: License available for desmond with ike-id desmonddvpn.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search