SRX Services Gateway
SRX Services Gateway

Dynamic-VPN / LDAP auth with group mapping

‎07-23-2019 02:46 AM

Hi @All,

 

I'm currently trying to set up a dynamic VPN using a SRX345 with LDAP authentication. We would like to use the users LDAP group and map it to a certain VPN policy configured on the SRX (JUNOS 15.1X49-D150.2). When searching through the forum I also find some posts saying the this is not supported. Furthermore I'm not able to find any commands to map users LDAP group to a policy.

 

Can someone please let me know if this feature is supported?

 

Thanks, Martin

 

3 REPLIES 3
SRX Services Gateway

Re: Dynamic-VPN / LDAP auth with group mapping

‎07-23-2019 08:38 AM

Martin,

 

There is a vpn to ldap user group mapping that happens at a different hierarchy.

 

For example, here is where you define the profile for LDAP/the user-group.

set access profile profile1 authentication-order ldap

set access profile profile1 address-assignment pool POOL-DYNAMIC-VPN

set access profile profile1 ldap-options base-distinguished-name CN=VPN-Users,OU=O1,DC=O1,DC=org

set access profile profile1 ldap-options search search-filter sAMAccountName=

set access profile profile1 ldap-options search admin-search distinguished-name CN=admin,OU=O1,DC=O1,DC=org

set access profile profile1 ldap-options search admin-search password "$9$345$$mTQntuOdsfsfaadhcr5Q/t0ISydfdfwM8Xxwg"

set access profile profile1 ldap-server 1.1.1.1

 

And here is where you map the user-groups to the dynamic-vpn
set security dynamic-vpn access-profile profile1

set security dynamic-vpn clients DYNAMIC-VPN remote-protected-resources 10.0.0.0/8

set security dynamic-vpn clients DYNAMIC-VPN remote-exceptions 0.0.0.0/0

set security dynamic-vpn clients DYNAMIC-VPN ipsec-vpn IPSECVPN-DYNAMIC-VPN

set security dynamic-vpn clients DYNAMIC-VPN user-groups VPN-Users

 

Let me know if that helps.

Cheers

Pooja

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

 

SRX Services Gateway

Re: Dynamic-VPN / LDAP auth with group mapping

‎07-26-2019 12:34 PM

Martin,

 

What you are looking for is explained in the following KB under the "Users on an external LDAP server" section:

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB30927&actp=METADATA

 

Let us know if you have any other questions.

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
SRX Services Gateway

Re: Dynamic-VPN / LDAP auth with group mapping

‎07-31-2019 12:38 PM

Hi Martin,

 

I can see that the post is not marked as Resolved and I was wondering if the information provided was useful or if there is anything else we could help you with.

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!