Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Configuring multiple XAuth users in a single group

0

0

Article ID: KB5859 KB Last Updated: 11 Mar 2013Version: 7.0
Summary:

This article provides information on how to configure multiple XAuth users in a single group.

Symptoms:

Environment:

  • Group all dial up users into a dial up group.

  • All Dial Up VPN users are configured with XAuth.

  • In the user configuration, L2TP/XAuth Remote Settings options are filled in.

Symptoms and Errors:

Unable to change the password of a individual user, when in a group.

Cause:

Solution:

Dial-up VPN users can be placed in a dial-up VPN group to reduce administration work. The IKE gateway can then reference an entire VPN group. When configuring Extended Authentication (XAuth), it is recommended to configure XAuth settings globally if you place the users in a dial-up group. If the XAuth settings are configured per user, you will not be able to change a user password until after unbinding the user from the group, the group from the IKE gateway, the IKE gateway from the VPN and the VPN from the policy.

In this example, you have 10 users and you want to configure them for VPN using XAuth. The steps to configure multiple XAuth users in a single group are to create the user, user group, IP pool, and define the XAuth IP settings.

Open the WebUI. For information on how to open the WebUI, refer to KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI .

From the NetScreen options menu, click Objects, select Users, and then click Local.
 

Image of step two

Click New.
 

Image of step three

In the User Name text box, enter a user name.
 

Image of step four

Click to select IKE User.
 

Image of step five and six

Click to select Simple Identity, and then in the IKE Identity text box, enter an IKE Identity.

note: Leave the number of multiple logins at 1. Changing this value will make the VPN fail.

Click to select XAuth User, and then in the User Password text box, enter a password and confirm it.
 

Image of step seven and eight

Click OK.

note: Leave the entire L2TP/XAUTH Remote Settings alone. The only reason why you want to fill this in is if you want to specifically control the IP settings, separate from other users

From the NetScreen options menu, click Objects, select Users, and then click Local Groups.
 

Image of step nine

Click New.
 

Image of step ten

In the Group Name text box, enter a group name.
 

Image of step eleven and twelve

Click to select an Available Member, and then click the Add Group Members button.

Click OK.
 

Image of step thirteen

From the NetScreen options menu, click Objects, and then click IP Pools.

Image of step fourteen
 


 

Click New.
 

Image of step fifteen

In the IP Pool Name text box, enter an IP pool name.
 

Image of step sixteen and seventeen

In the Start IP text box, enter a start IP. In the End IP text box, enter an end IP.

Click OK.
 

Image of step eighteen

From the NetScreen options menu, click VPNs, select AutoKey Advanced, and then click XAuth Settings.
 

Image of step nineteen

In the IP Pool drop-down menu, click to select the IP pool name. Enter the DNS and WINS Primary and Secondary Server IP settings in the text boxes provided.

Image of step twenty and twenty-one

Click Apply.

Continue configuring the VPN as normal. With this method of setting the XAuth IP settings globally, it allows an administrator to place all dial-up VPN users in a group and still allow flexibility to change password per user whenever required.

CLI:

set user "Remote_Sales" type ike
set user "Remote_Sales" ike-id "sales@ns.com" share-limit 25
set user "Remote_Sales" enable

set user-group "R_S" location local
set user-group "R_S" user "Remote_Sales"

set user "Joe" password "password4joe"
set user "Joe" type xauth
set user "Joe" enable
set user "Mike" password "password4mike"
set user "Mike" type xauth
set user "Mike" enable

set ippool "VPN Pool" 10.1.1.1 10.1.1.254

set xauth default auth server "Local"
set xauth default ippool "VPN Pool"

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search