Juniper SRX

Juniper SRX : Configure Active Directory VPN Authentication

Windows Active Directory (LDAP)

NOTE: LDAP authentication requires Junos 10.4R3 or 11.1 or later releases to work, otherwise there is a core dump crash of the SRX.

The following configuration was tested on the following releases working:

'''junos-srxsme-10.4-20110228.0-domestic.tgz'''
'''junos-srxsme-11.1-20110228.0-domestic.tgz'''

set security ike gateway gw_wizard_dyn_vpn xauth access-profile remote_access_ldap
set security dynamic-vpn access-profile remote_access_ldap
set access profile remote_access_ldap authentication-order ldap
set access profile remote_access_ldap address-assignment pool dyn-vpn-address-pool
set access profile remote_access_ldap ldap-options base-distinguished-name CN=Users,DC=srxlab,DC=domain,DC=com
set access profile remote_access_ldap ldap-options search search-filter sAMAccountName=
set access profile remote_access_ldap ldap-options search admin-search distinguished-name cn=administrator,cn=users,dc=srxlab,dc=domain,dc=com
set access profile remote_access_ldap ldap-options search admin-search password "<admin_password>"
set access profile remote_access_ldap ldap-server <ldap_server_ip>
set access firewall-authentication web-authentication default-profile remote_access_ldap

Setup NPS on Windows 2008 Server (Radius to Active Directory)

If you are running Windows 2008, you can use NPS (which replaces IAS)

First, add the required roles on the server that will acts as Radius server. This does not need to be a DC. If the server is part of the domain, it will work just fine

  • Open Server Manager and add a role
2008_add_role.png
  • Select Network Policy and Access Services and click '''NEXT'''
Network_policy_access_services.png
  • Click '''NEXT''' again
  • Select Network Policy Server (NPS) and click next
Network_policy_server.png
  • Click '''Install'''. Click ‘close’ when the installation has completed.
  • Open a MMC and add the NPS snap-in (Local Computer)
NPS_snap_in.png
  • Now the NPS service needs to be activated in Active Directory. Right click the NPS tree root on the left pane, and choose “Register server in Active Directory”.
Nps_active_directory.png
  • Click OK
Nps_active_directory_confirm.png
  • Click OK again
  • Next, change the Radius port to 1812 only. Right-click on NPS (Local) and choose properties
nps_edit_radius.png
  • Go to the ports tabsheet and set Authentication to port '''1812''' only, and accounting to port '''1813''' only.
  • Click '''OK''' to save. use the Action Tab to stop and start the NPS service
  • Open Radius Clients under NPS (Local) – RADIUS Clients and Servers, right-click and choose ‘New Radius Client’
Nps_new_radius_client.png
  • Fill out the name, IP address of the Juniper firewall and set the Shared Secret. Leave the Vendor name as Radius Standard
Nps_radius_settings.png
  • Open “Network Policies” under “Policies” and remove the 2 default policies called “Connections to Microsoft Routing and Remote Access server” and “Connections to other access servers” (or just make sure they are disabled)
  • Then, add a new policy
Nps_network_policies.png
  • Set a name and leave the type of network access server to Unspecified
Nps_policy_name.png

*Click '''Next'''

*Under “Specify Conditions”, click “Add” and select “Windows Groups”. Click “Add” again

Nps_policy_specify_conditions.png
  • Click “Add Groups” and add the AD Group that contains the VPN users (Juniper.VPN.Users in my case)
Nps_add_groups.png
  • Click OK
  • Click Next
  • Set Access Permission to “Access granted” and click Next
Nps_specifiy_access.png
  • Authentication methods : deselect everything, except PAP, SPAP
Nps_auth_methods.png
  • Click Next. Click “No” when asked to see the corresponding Help Topic
  • Constraints : do not set constraints (unless you know what you are doing). Just Click next
  • Configure Settings : Under “Standard”, remove the Framed-Protocol and Service-Type Attributes
Nps_std_radius_attributes.png
  • Go to Vendor Specific and click Add
Nps_vendor_radius_attributes.png
  • Set Vendor to All and select “Vendor-Specific” from the list. Click Add
Nps_vendor_specific.png
  • Click Add again
  • Set Vendor Code to 3224. Select Yes. It Conforms
Nps_vendor_code.png
  • Click “Configure Attribute”
  • Set attribute number to 3, set format to String, and set Value to Juniper.VPN.Users (or whatever you named the group in AD)
Nps_vsa.png
  • Click OK
  • Click OK again
  • Verify that the new attribute is in the list and click OK again
Nps_vsa_verify.png
  • Click Close
Nps_vsa_close.png
  • Click Next. Review the configuration settings
Nps_vsa_review.png
  • Click Finish
  • NPS doesn’t seem to work after all this configuration until the service is restarted. So once again on the NPS tree root right click it and select “Stop NPS Service”. It seems to take a few moments for the service to actually stop so wait 10-15 seconds then right click NPS again and choose “Start NPS Service”.

Configure SRX to allow Radius Authentication for VPN Users

  • Setup Remote Access Profile for Radius
set access profile remote_access_radius authentication-order radius
set access profile remote_access_radius address-assignment pool dyn-vpn-address-pool
set access profile remote_access_radius radius-server '''<radius_server_ip>''' port 1812
set access profile remote_access_radius radius-server '''<radius_server_ip>'''secret "<radius_secret>"
set access profile remote_access_radius radius-server '''<radius_server_ip>''' retry 3
set access profile remote_access_radius radius-server '''<radius_server_ip>''' source-address '''<untrust_ip_srx>'''

set access address-assignment pool dyn-vpn-address-pool family inet network 10.100.200.0/28
set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 4.2.2.2/32
  • Configure Phase 1 authentication for Radius
set security ike gateway gw_wizard_dyn_vpn xauth access-profile remote_access_radius
  • Configure Dynamic VPN for Radius profile
set security dynamic-vpn access-profile remote_access_radius
  • Configure Firewall Authentication for Radius profile
set access firewall-authentication web-authentication default-profile remote_access_radius

NOTE: You must also add the AD users to the clients list for dynamic-vpn on the SRX for the users to complete authentication

set security dynamic-vpn clients wizard-dyn-group user <AD user name>