Screen OS

I am looking for a bit of assistance on my issue. Using SSG 5 with 6.3.0r18.0. I am only able to get the Juniper to allow me to use a CN for AD login. LDAP allows login but, AD is requireing a samAccountName or GSS (Domain\Username) for authentication. I am in need of a "tweak" to get this last step enabled. I am pasting my config file to see if any of you CLI GURU's and see my error. ANY HELP would be HIGHLY appreciated.

unset key protection enable
set clock timezone -8
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "IPSec Port" protocol udp src-port 0-65535 dst-port 500-501
set service "IPSec Port" + udp src-port 0-65535 dst-port 4500-4501
set service "ESP" protocol 50
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth-server "LDAP" id 1
set auth-server "LDAP" server-name "172.x.x.4"
set auth-server "LDAP" account-type xauth
set auth-server "LDAP" type ldap
set auth-server "LDAP" ldap cn "CN"
set auth-server "LDAP" ldap dn "CN=users,DC=nooxx,DC=com"
set auth-server "NRC-Radius" id 2
set auth-server "NRC-Radius" server-name "172.x.x.4"
set auth-server "NRC-Radius" account-type admin
set auth-server "NRC-Radius" radius secret "ovwZc47qNa4iAbsf9eCdtbxcqdnD6G7Y/w=="
set auth-server "LDAP_Dialup" id 3
set auth-server "LDAP_Dialup" server-name "172.x.x.4"
set auth-server "LDAP_Dialup" account-type admin
set auth-server "LDAP_Dialup" timeout 40
set auth-server "LDAP_Dialup" type ldap
set auth-server "LDAP_Dialup" ldap cn "CN"
set auth-server "LDAP_Dialup" ldap dn "CN=users,DC=nooxx,DC=com"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "admin"
set admin password "nEn0AvrHM+GMc7CIJsPGJLItV6H0qn"
set admin port 8080
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin auth remote root
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface "tunnel.1" zone "Untrust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 75.x.x.193/30
set interface ethernet0/0 nat
set interface bgroup0 ip 172.x.x.1/24
set interface bgroup0 nat
set interface tunnel.1 ip unnumbered interface ethernet0/0
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage ssl
set interface bgroup0 manage mtrace
set auth-server "LDAP_Dialup" src-interface "ethernet0/0"
set interface ethernet0/0 vip interface-ip 25 "SMTP" 172.x.x.4
set interface ethernet0/0 vip interface-ip 80 "HTTP" 172.x.x.4
set interface ethernet0/0 vip interface-ip 443 "HTTPS" 172.x.x.4
set interface ethernet0/0 vip interface-ip 389 "LDAP" 172.x.x.4
set interface "ethernet0/0" mip 75.x.x.193 host 172.x.x.0 netmask 255.255.255.255 vr "trust-vr"
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set console timeout 0
set console page 0
set domain nooksacktga.com
set hostname TGAFW
set dbuf size 4096
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 75.75.75.75
set dns host dns2 172.x.x.4
set dns host dns3 0.0.0.0
set address "Trust" "10.12.15.0/24" 10.12.15.0 255.255.255.0
set address "Trust" "172.x.x.0/24" 172.x.x.0 255.255.255.0
set address "Trust" "172.x.x.4/24" 172.x.x.4 255.255.255.0
set address "Untrust" "172.x.x.0/24" 172.x.x.0 255.255.255.0
set address "Untrust" "2.2.2.2/32" 2.2.2.2 255.255.255.255
set address "Untrust" "75.x.x.193/32" 75.x.x.193 255.255.255.255
set ippool "Dial_pool" 172.x.x.51 172.x.x.61
set user "Dial" uid 6
set user "Dial" ike-id fqdn "dial@nooxxx.com" share-limit 20
set user "Dial" type ike
set user "Dial" "enable"
set user "ed" uid 2
set user "ed" type xauth
set user "ed" password "Ice1KvlRNP0hwusa0RCmhMYc74nUMtnfRg=="
unset user "ed" type auth
set user "ed" "enable"
set user "test_dial" uid 3
set user "test_dial" ike-id u-fqdn "test@ns.com" share-limit 10
set user "test_dial" type ike
set user "test_dial" "enable"
set user-group "Dialup_group" id 6
set user-group "Dialup_group" user "test_dial"
set crypto-policy
exit
set ike gateway "NRC-GW1" dialup "Dialup_group" Aggr outgoing-interface "ethernet0/0" preshare "SrycNktfNwHFgJsMMsCXd9DDDOnKi3u10g==" proposal "pre-g2-3des-sha"
unset ike gateway "NRC-GW1" nat-traversal udp-checksum
set ike gateway "NRC-GW1" nat-traversal keepalive-frequency 5
set ike gateway "NRC-GW1" xauth server "LDAP"
unset ike gateway "NRC-GW1" xauth do-edipi-auth
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default ippool "Dial_pool"
set xauth default dns1 172.x.x.4
set xauth default dns2 172.x.x.12
set xauth default wins1 172.x.x.4
set vpn "NRC-GW1 VPN" gateway "NRC-GW1" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"
set url protocol websense
exit
set policy id 13 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 13
exit
set policy id 9 from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "ANY" permit
set policy id 9
exit
set policy id 1 from "Trust" to "Untrust" "172.x.x.0/24" "Any" "ANY" permit
set policy id 1
exit
set policy id 12 name "LDAP" from "Untrust" to "Trust" "75.x.x.193/32" "172.x.x.0/24" "LDAP" permit
set policy id 12
exit
set policy id 14 from "Untrust" to "Trust" "Dial-Up VPN" "172.x.x.0/24" "ANY" tunnel vpn "NRC-GW1 VPN" id 0x1 log
set policy id 14
set log session-init
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set ssl port 4433
set snmp port listen 161
set snmp port trap 162
set snmpv3 local-engine id "0162112012003850"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/0 gateway 75.x.x.194
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

That will not work. For some reason Juniper does not allow usage of attribute sAMAccountName. I used radius protocol instead so I got this working like I wanted. Below is a link to site where it's done with Windows 2008 server:

https://vnetwise.wordpress.com/2012/05/20/2008r2-radius-authentication-for-juniper-screenos/

If you are satisfied with the answer, please click "Accepted as Solution". Kudos also welcome!

I am most grateful!!! I briefly read thru the Article.! I am on it this morning and will give results before end of day.

Thank You,

SUCCESS!!!! I have just completed the process!! I found that there are MANY details that are not defined in creating the proper Dial-Up VPN, NCP and Windows AD Authetication. I have now spent the better part of a month of R&D, JTAC assitance and more R&D and forums and KB Articles!!! Persistance paid off for this newbie!!

I attempted LDAP with Server 2003 and IAS server. I found the AD and Server I inherited were ailing and corrupt. New server 2008 R2 and Entriely new AD were created. I now had a solid, clean AD and DNS platform to begin again on the project.

I have a JUNIPER SSG 5 w/6.3.0r18.0. , Windows Server 2008 R2 SP 1.

I had 4 different JTAC Technicians attempt with remote support to help to perform the proper setup for the Dial-UP, XAUTH, LDAP and RADIUS. I was able to escalate my case to TIER 2 and that is whne the JUNIPER was finally configured for proper access to the RADIUS / AD authentication. It is an EXACTING setup that needs to take place to be successful.

https://www.corelan.be/index.php/2009/01/22/juniper-netscreen-remote-dial-up-vpn-with-ad-radius-authentication-and-route-based-vpn-tunnel-interface/

http://kb.juniper.net/InfoCenter/index?page=content&id=KB6648

The above URL's were the most accurate I found. They were both sullpied to me thru TIER 2 JTAC Support.

I also found thru hundred's of Forum reads, that users that resolved their problems failed to post thier fixes. I am hoping that someone may find this R&D effort beneficial for thier setup.

NEVER say die!!!!

Duggan59