New to Juniper - How do I configure remote vpn authenticating off an IAS Server?



  • Hello.

    I am migrating from Cisco PIX Firewalls to SSG-140’s and my show-stopper right now is the client VPN connection. The pix was pretty easy to setup. All I had too setup a shared vpngroup and a radius server and I was set. Since I’m new to Juniper, there has been a bit of learning curve.

    I was wondering if someone could point me in the right direction. I did some searches here and I got a few hits but nothing like a how-to.

    I’m running version 6.1.0r6.0 (Firewall+VPN) and I have followed the following document (with success):

    http://kb.juniper.net/KB4772

    The only problem with the following document is that it authenticates users locally on the box. I wanted them to be authenticated off the Active Directory using Microsoft IAS like I do with the PIX. I am having a hard time finding documentation that can walk me through that sort of setup.

    Any help would be appreciated.

    Thanks,

    Joey


  • Engineer

    For the SRX products you might find this useful:

    https://www.juniper.net/customers/support/configtools/vpnconfig.html

    a login is required, but you can get one through the official Juniper forums - http://forums.juniper.net



  • Similar intro… new to Juniper, coming from Sonicwall (which had a very easy VPN setup with minimal effort to get going). I’m in the same boat now with 3 new SRX210’s. Thanks for the link. Hopefully I can get it working also. I’ll update my own post afterwords.

    AC



  • I just figured it out last night. Just so that other people know:

    If you have a managed IP addresss, use that address (the managed IP address and not the interface address) when configuring the RADIUS client on the IAS server.

    By chance, I changed the address used in the IAS config from the interface address to the management address and it started working. Then I noticed in a 3rd part doc (the one I posted earlier) had a mention of it. I might have overlooked it when I read it through the first time.

    So basically, if you follow the docs and make sure that you use the managed IP address when configuring IAS then everything should be good to go. Now, I have to play with the remote access policies to see how that all works. I didn’t have to fiddle with that with my Cisco configuration.

    If anyone needs it, I would be glad to put up some screenshots of how I configured it all, otherwise that link I posted is probably perfect. I hate coming across posts with people saying “I did it!” yet not informing the next guy how exactly he got it done. Like I said, I got it working last night and I was pretty excited. LOL

    Another thing I would like to see is the difference between policy based vpn and route based vpn. I have read the differences in the manual, but I’m not getting it. I usually don’t until I see how it behaves. From what I read, route based seems better.

    Joey



  • Works for me, post your config so we can have a look…



  • Posting to my thread again. Okay, that above article just didn’t work for me. I’m not sure what I’m doing wrong. It’s been a frustrating experience so far. Maybe this is why it seems most people just do local Xauth instead of remote Xauth?

    Joey



  • Hate to reply to my own post, but I just found something of interest. I haven’t ready it fully yet, but so far it looks interesting.

    Here’s the link:

    http://www.corelan.be:8800/index.php/2009/01/22/juniper-netscreen-remote-dial-up-vpn-with-ad-radius-authentication-and-route-based-vpn-tunnel-interface/

    Hopefully it’s of use to someone.

    Joey


 

21
Online

38.4k
Users

12.7k
Topics

44.5k
Posts