ScreenOS Firewalls (NOT SRX)
Reply
Contributor
willerman
Posts: 13
Registered: ‎11-20-2008
0

XAuth: When to use "XAuth Server" or "Use Default"

Hi guys,

I wonder if anybody of you can explain when one should use "XAuth Server" or "Use Default" in the gateway parameters of VPN configuration.

 

When I choose "Use Default" the gateway obviously uses the global XAuth settings where IP Pool, DNS, default auth server, etc. are defined.

So when I choose "use default" the gateway will search the whole local user-db for the authenticating xauth-user. Correct?

 

When I choose "XAuth Server" I can restrict the VPN user to either a single user or user group (so not all xauth-users in the user-db are able to authenticate). Correct?

But how do I assign an IP Pool when using "XAuth Server" in the VPN Gateway Parameters?

 

Cheers

Thorsten

Distinguished Expert
muttbarker
Posts: 2,372
Registered: ‎01-29-2008
0

Re: XAuth: When to use "XAuth Server" or "Use Default"

You can assign the IP to the user you specify as the IKE user for the G/W.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
willerman
Posts: 13
Registered: ‎11-20-2008
0

Re: XAuth: When to use "XAuth Server" or "Use Default"

So, I cannot use an IP Pool when I select XAuth Server?

Instead I have to assign the IP manually to the user or all the users in a group??

 

Wow....

Distinguished Expert
muttbarker
Posts: 2,372
Registered: ‎01-29-2008
0

Re: XAuth: When to use "XAuth Server" or "Use Default"

YES! You can use an IP Pool - I think I had a typo in my reply. If you setup a local user and define them for Xauth and associate an IP Pool with that user they will take the settings from the pool that they were assigned to.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.