10-03-2011 06:51 PM
Did somebody configured Dynamic VPN with Active Directory Authentication on SRX240 with juneos 11.2R1.10 ?
We did set it up and it is working ok but we run into small issue. Right now to make it work user has to be added also on SRX(just user name) for each user. I would like to have Authentication and Authorization done on AD so the admin of the network would not need to add users into SRX after settingings are done.
juneos 11.1 shows that is supports shared IKE that would allow to use one IKE for all users.
Did somebody experienced this or has any advise on setting it up ?
10-09-2011 06:37 PM
Unfortunately at this time that's the way it works. The reason for it is the lack of a better way to associate users to VPNs. There is an enhancement being developed to allow a radius attribute to pass a client-group attribute that can be used to locate the VPN used for that particular user (instead of matching on the username you'll be matching on the group name).
However, this does not include the AD case as there is no attribute available for this today. Perhaps we can add a simple wildcard match on the client matching definition for a VPN, this should do the trick provided that no other VPNs are configured in the system (or, more accurately, provided that only a single VPN is configured with a wildcard match).
10-10-2011 12:06 AM
The current design of the Dynamic VPN feature requires that a user to be configured under dynamic-vpn knob in order to associate the client VPN configuration with the user.
By grouping the users under a single group, and associating the user-group (group name) with the client vpn configuration, the individual users will need not have to be added into the SRX. However, this enhancement will be introduced through a forth coming RLI in 12.3.