Screen OS

I've got a Netscreen 50 running firmware version: Version: 5.3.0r3.0 (Firewall+VPN) 

 

I've been trying to get all of my systems sync'ing with my Active Directory (Windows Server 2008) for all users/passwords.  I've done this with other applications using the LDAP of the active directory.  I can succesfully connect to my LDAP with an LDAP browser and my other applications.  These successful applications require that I put the Domain name in front of the username.  My example is Domain "SAF", and user tjohnston, so these settings connect successfully with "SAF\tjohnston" and the password.

 

When I try the same settings in the Netscreen I get log entry:

 

User SAF johnston at 10.100.1.223 has been rejected via the LDAP server at 10.6.31.164 (which is the IP of my client, and LDAP server)

 

In this example it's interpriting the '\t' in my username as a tab.  I've tried putting 2 slashes ("SAF\\tjohnston"), but even though the Netscreen reports the correct username (SAF\tjohnston) it still says it's denied by the LDAP, despite the fact that I can copy and paste the DN from the firewall into my LDAP browser and can connect. 

 

Is there some way to get the Netscreen to put the domain in front of all of my Users' names?  Is there something I'm missing?  Why would the settings that work with my LDAP browser not work with the Netscreen?

 

Thanks,

 

Tommy 

#ldap
#authentication

Hi,

 

As far i as know, there is no support for windows authentication method on ScreenOS ( LanManager, NTLMv1 or NTLMv2) and it is just what you are trying to use when you are using " Domainname\Username".

Active Directory is supported using LDAP v2 ( no V3) and maybe you could also Radius with NPS Windows 2008 role ( it is a Radius server ).

 

Just try to login using only "Username" after setting the Screenos to search for the SamAccountName attribute.

It is what i usually do and it works. 

 

Another point : the only way to secure ldap traffic from the screenos to AD is to encapsulate it in an ipsec vpn.there is no support for LDAPS or LDAP/TLS.

 

 

Hey Tommy - the first reply to this post was great in terms of how ScreenOS works (or doesn't) with AD boxes. I personally would recommend that you look to enabling the radius I/F on W2K8 box (through IAS) as if you decide you want to do more than simply use it for passwords you can get into role assignments, etc. with radius.

 

LDAP on ScreenOS is very, very limited - all you can do is authenticate, not poll for Groups......

I guess I'll just have to use something else since I can't use the LDAP.  I've played with Radius in the past without any luck.

 

Does anybody have any recommended Walk throughs for Authentication between Windows Active Directory and Netscreen?  I'm a bit of a newbie in the Admin role and need a little bit more guidance.

Active Directory and Netscreen do not work together. You can get the LDAP to work, it is just not as good as radius it you want to get detailed in terms of various permissions and stuff like that. I do have radius working against ScreenOS firewalls. I use W2K3 and W2K8 IAS(3) and NPS(8) and would be glad to give you the details if you would like to go the radius route.

 

I have gotten LDAP to work in the past and could probably find some notes on it also if you want to stick with that solution. Just let me know!

I just did some testing for fun (bored while eating lunch 🙂

 

I was able to get LDAP to work sucessfully for authentication of the Netscreen box. The only issue I found is that it is using the Distiguished Name (DN) for the login - not samaccountname (which maps to login name). I messed with it a bit and was not able to create some attributes that would allow me to use the samaccountname value instead of DN. As DN is usually pulled from the display name plus the rest of the LDAP string (ie- cn=users,dc=xxx,dc=com) I don't think that this is what you want.

 

However, it does work and was pretty simple to get up. Let me know if you want any more details.

Hey Kevin,

 

Thanks for the help.  I would like to keep trying the LDAP because that would use exisiting software components.  I'm not really using any of the group information at the moment.  Our Local DB on the Netscreen just holds Usernames/PWs.  Everybody has the same permissions at the moment.

 

Here are the settings from my Netscreen:  My DC IP address is 10.6.31.164, and my domain is saf.sc.gov.  My current DN is: OU=SAF_USERS,DC=saf,DC=sc,DC=gov.  The CN I'm using is just CN.  (I'm not sure if I should be putting anything else there...)

 

I'm using JXplorer as an independent test to browse the LDAP.  With these settings it works only with the samaccountname (i.e. SAF\<username>).  JXplorer doesn't give me the option of a CN, so I'm not sure how to test for that setting.

 

Any ideas on what I should try to get it to work?  Ideally I'd like to use only the username instead of the full samaccountname.

 

Thanks!

 

Tommy

Hey Tommy - did not have any real chance to see how fancy I could get with it. I did determine the following. You can very easily login use the full distinguished name. To do so you would setup the Auth Server for LDAP using the auth type of admin. The common name identfier is usually going to be "cn" then you would place the remainder of the DN string (less your name) in the Distringuished Name (DN) field.

 

IE - my full DN for me cn=Kevin Barker, cn=Users, DC=itg, DC=com

 

so the string in Distinguished Name field is: cn=Users, DC=itg, DC=com

 

The value common name identifier is "cn" and the when I login with "Kevin Barker" it builds the string out to map to my fully qualfied DN.

 

I wanted to find some way to use another value like samaccountname or userprincipalname (login name) but did not have time to test. Hope this helps a little. Also found a nice tool that gives you fully qualfied DN values. It is in the zip file. Just unzip it - then from a logged in session run it and it returns your full DN value.

 

Thanks Kevin.  I was able to get the LDAP working when I tried the "Full Name" value.  I had my user set up with the default full name: Test User.  The userid was tuser.  I found out the Display name in the Active directory was what showed in the Address book and with Outlook.  I'm sure it's not the best soultion, but I set the "Full Name" to the user id for all my users, and it looks like the LDAP is working properly.

 

The only question I've got is related to the length of the authentication.  With my local authentication the users had to authenticate once per day.  It seems the LDAP is forcing a login once, but it doesn't seem to expire after days.  I had one example with the machine shut down for 5 days or so.  When it was powered up and tried to access the web, there was no prompt for user/pw.

 

I don't want my users to authenticate once with the Active Directory.  It is preferable to have a once a day requirement.  I didn't see any settings about the length of the authentication.  Does anybody know if there's a way to set the time that it takes for a user's authentication to expire?

 

Thanks,

 

Tommy

You can use the "forced timeout" option on the entry for the LDAP auth server itself. It is set in minutes and will kill the auth and the sessions. That is the only option that I know of.

 

Hi muttbarker

 

Many thanks for yuor tool 

 

thnaks

Hi Kevin 

Many thanks for yuor tool 

 

thnaks

Kevin

I found this old post relevent to an issue I am currently having with my SSG-20 I setup today to authenticate VPN clients to LDAP. The JTAC tech and I could only get a successful login if we used the display name and password vice username and password. How do I get that username to work so I don't have to tell the remote users to use their display name vice their username?

Thanks!

Matt Lenco

mlenco@sms-fed.com

Hey Mateo - traveling so I don't have direct access to my boxes as an admin - but if memory serves me you CAN'T use username (samaccountname in LDAP terms) - ScreenOS does not let you define it.

 

My recommendation would be to use Radius against your AD server, not LDAP.