[SRX] Example - Configuring LDAP over TLS for Dynamic VPN user authentication

  [KB32406] Show Article Properties


Summary:

Beginning with Junos OS Release 15.1X49-D70, SRX Series devices support the Transport Layer Security (TLS) StartTLS extension for LDAP for firewall user authentication. For more information, see Enabling LDAP Authentication with TLS/SSL for Secure Connections. This article provides an example configuration.

Note: â€‹LDAPS is not the same as LDAP with StartTLS. LDAPS works over TCP port 636 while LDAP with StartTLS works on regular LDAP port TCP 389. LDAP with StartTLS will start the communication in clear text and will eventually negotiate a TLS channel to protect the data.
 

Symptoms:

Without TLS/SSL, the LDAP communication between the SRX and the LDAP server is done in clear text:

 

Solution:

In this example, the LDAP server is an Active Directory server (Windows Server 2012) and only the SRX’s configuration related to LDAP is presented. For more information on Dynamic VPN configuration, refer to KB14318 and KB21978. For more information regarding the different TLS options offered by the SRX for the LDAP communication, refer to Enabling LDAP Authentication with TLS/SSL for Secure Connections.

Note: “no-tls-certificate-check” option is used in this example to ignore the validation of server’s certificate and accept the certificate without checking.

Topology:

Configuration:

set access profile DVPN-PROFILE authentication-order ldap
set access profile DVPN-PROFILE address-assignment pool DVPN-POOL
set access profile DVPN-PROFILE ldap-options base-distinguished-name CN=Users,DC=jtac,DC=com
set access profile DVPN-PROFILE ldap-options search search-filter sAMAccountName=
set access profile DVPN-PROFILE ldap-options search admin-search distinguished-name CN=Administrator,CN=Users,DC=jtac,DC=com
set access profile DVPN-PROFILE ldap-options search admin-search password "$9$0KSY1hyMWxsgJ/CvLxNY25QFnAp"
set access profile DVPN-PROFILE ldap-server 20.20.20.2 tls-type start-tls
set access profile DVPN-PROFILE ldap-server 20.20.20.2 no-tls-certificate-check


LDAP communication encrypted via TLS:



 
Related Links: