SRX Services Gateway
SRX Services Gateway

SRX - Dynamic VPN - Active Directory Integration

‎06-17-2014 12:11 AM

Hi,

 

I am facing challenge in configuring user-groups for dynamic vpn . In our case the user authentication for the dynamic vpn should be from Windows Active directory . When i am configuring with specific username, the authentication is working fine. For example : set security dynamic-vpn clients wizard-dyn-group user john . When i configure with user-group , its not working . set security dynamic-vpn clients wizard-dyn-group user-groups CN=VPN,DC=domain,DC=com . In Active directory all vpn users are member of VPN Group. Any thoughts.

 

Regards

Najeeb

Najeeb
11 REPLIES 11
SRX Services Gateway

Re: SRX - Dynamic VPN - Active Directory Integration

‎06-17-2014 01:09 AM

Hi

Are you sure what your group in CN? If you simple create group, may be this won't work.

When i use this feature on Cisco ASA, i encountered this problem. Create OU and use OU=VPN dc=domain dc=com for how example.

 

Regards

Alex Makhinov 

Sorry for my english

SRX Services Gateway

Re: SRX - Dynamic VPN - Active Directory Integration

‎06-17-2014 04:05 AM

Hi Najeeb ,

 

To follow up on the group authentication/access question, the closest feature available is to have the SRX defer the decision on who have access to VPN solely to the LDAP server.

 

This is a feature available in 12.1X44-D10 and later Junos releases.

 

You can read up on this more here:

http://www.juniper.net/techpubs/en_US/junos12.1x45/topics/concept/dynamic-vpn-enhancement-understand....

 

In short,

 

1. If you want to only allow a specific group in the LDAP server to use VPN: This cannot be done easily and you'd need to manually define the user names as we have today.

 

2. If you want any user defined in the LDAP server to use VPN but don't want to manually add the user names in the SRX: You can upgrade to 12.1X44-D30 and follow the instructions in the link above.


Regards,
rparthi

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too] .....

SRX Services Gateway

Re: SRX - Dynamic VPN - Active Directory Integration

‎06-17-2014 04:35 AM

hi rpathi,

 

Thanks for you suggestion.

 

I configured based on the same document and its not authenticating. Our requirement is to authenticate any user in the AD and to avoid adding the username manually to the SRX. So as per the document i configured the user-group but i am getting error "No Configuration Available for the user".

 

Thanks

Najeeb

 

Najeeb
SRX Services Gateway

Re: SRX - Dynamic VPN - Active Directory Integration

‎06-17-2014 05:04 AM

Hi Najeeb,

 

is it possible to share the vpn related configuration ?

Kindly remove actual ip addresses and add dummy ip details .

Also share the junos code that you are running on the SRX.

 

Regards,
rparthi

SRX Services Gateway

Re: SRX - Dynamic VPN - Active Directory Integration

‎06-17-2014 02:01 PM

Hi ,

 

Please find the attached config for VPN . Junos Ver : 12.1X44-D30.4

 

Thanks

Najeeb

 

Najeeb

Attachments

SRX Services Gateway

Re: SRX - Dynamic VPN - Active Directory Integration

‎06-17-2014 10:46 PM

Hi Najeeb,

 

You need to specify exact group name of the vpn users under set security dynamic-vpn clients wizard-dyn-group user-groups .

 

set security dynamic-vpn clients wizard-dyn-group user-groups DC=domain,DC=com

 

DC=domain , DC=com will not help . you need to configure the exact LDAP group name of the vpn user .

 

Regards,
rparthi


[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too] .....

 

SRX Services Gateway

Re: SRX - Dynamic VPN - Active Directory Integration

‎06-17-2014 10:55 PM

Hi,

 

Initially  we configured with  exact groups and it was not working. For testing i removed the groups. We have already configured a group in AD called VPN.

 

Please find the initial config

 

set security dynamic-vpn clients wizard-dyn-group user-groups CN=VPN,DC=domain,DC=com

Regards

Najeeb

 

Najeeb
SRX Services Gateway

Re: SRX - Dynamic VPN - Active Directory Integration

‎06-17-2014 11:03 PM

Hi Najeeb,

 

Mention only the client group name and do not use cn = ,dc= format.

 

set security dynamic-vpn clients test user-groups VPN

 

Regards,

rparthi


[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too] .....

SRX Services Gateway

Re: SRX - Dynamic VPN - Active Directory Integration

‎06-25-2014 04:35 AM

Hi najeeb,

 

Did the config suggestion i updated in my previous update helped you?

Kindly update me so that this thread can be closed and it can help other users.

 

Regards,

rparthi
[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too] .....

SRX Services Gateway

Re: SRX - Dynamic VPN - Active Directory Integration

‎06-25-2014 08:41 AM

Hi,

 

Sorry its not working.

 

Najeeb

Najeeb
SRX Services Gateway

Re: SRX - Dynamic VPN - Active Directory Integration

‎06-26-2014 11:07 PM

Hi Najeeb,

 

I verifed and only group name needs to be mentioned in the Dynamic vpn stanza.

 

May be LDAP server is sending incorrect information due to VPN users belonging to multiple groups.

 

Can you create a new user and add him to the VPN group and then verify it.

 


Thanks & Regards,

rparthi


[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too] .....