Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Configuring LDAP Authentication for Juniper Secure Connect (CLI Procedure)

Overview

LDAP helps in authentication of users. You can define one or more LDAP groups and use a specific local IP pool for address assignment based on group membership when you use LDAP as an authentication option. If you don't specify the local IP pool per group, Junos OS assigns an IP address from the local IP pool configured in the access profile.

To configure user groups, include the allowed-groups statement at the [edit access ldap-options] hierarchy level. These group names match the names in your LDAP directory.

Consider the following LDAP groups such as group1, group2, and group3. You can assign group1 to address pool Juniper_Secure_Connect_Addr-Pool. You can assign group2 to address pool poolB. You can assign group3 to address pool poolC.

  1. User1 belongs to group1. User1's group matches one of the configured groups, User1 is authenticated. Based on the group membership, the system assigns IP address to User1 from following address pool Juniper_Secure_Connect_Addr-Pool.

  2. User2 belongs to group2. User2's group matches one of the configured groups, User2 is authenticated. Based on the group membership, the system assigns IP address to User2 from following address pool poolB.

  3. User3 belongs to group3. User3's group matches one of the configured groups, User3 is authenticated. Based on the group membership, the system assigns IP address to User3 from following address pool poolC.

  4. User4's group doesn't match either of the configured groups.

Table-1 describes LDAP server response when the ldap-options is configured at the global access level and within the access profile. The priority of profile configuration is higher than global configuration.

Table 1: LDAP access groups at global level and within access profile
Username Configured Matched group LDAP server returned groups Address pool Action
User1 group1 group1, group2, group3 Juniper_Secure_Connect_Addr-Pool Accept (Matching configured groups)
User2 group2 group1, group2, group3 poolB Accept (Matching configured groups)
User3 group3 group1, group2, group3 poolC Accept (Matching configured groups)
User4 group4 groupX, groupY, groupZ poolD Reject (Not matching configured matched groups)
Note:

This example uses LDAP as the authentication option where the user belongs to a single group.

Requirements

This example uses the following hardware and software components:

  • Any SRX Series Firewall

  • Junos OS Release 23.1R1

Before you begin:

For information about prerequisites, see System Requirements for Juniper Secure Connect.

You must ensure that the SRX Series Firewall uses either a signed certificate or a self-signed certificate instead of the default system-generated certificate. Before you start configuring Juniper Secure Connect, you must bind the certificate to the SRX Series Firewall by executing the following command:

For example:

Where SRX_Certificate is the certificate obtained from CA or self-signed certificate.

Topology

The below figure shows the topology in this example.

Figure 1: Configuring LDAP authentication for Juniper Secure Connect

Configuration

In this example, we use LDAP as the authentication option where the user belongs to a single group.

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy.

  1. Configure one or more Internet Key Exchange (IKE) proposals; then you associate these proposals with an IKE policy. Configure IKE gateway options.
  2. Configure one or more IPsec proposals; then you associate these proposals with an IPsec policy. Configure IPsec VPN parameters and traffic selectors.
  3. Configure a remote access profile and client configuration.
  4. Specify the LDAP server for external authentication order.
  5. Create SSL termination profile. SSL termination is a process where the SRX Series Firewalls acts as an SSL proxy server, and terminates the SSL session from the client. Enter the name for the SSL termination profile and select the server certificate that you use for the SSL termination on the SRX Series Firewalls. The server certificate is a local certificate identifier. Server certificates are used to authenticate the identity of a server.

    Create SSL VPN profile. See tcp-encap.

  6. Create firewall policies.

    Create the security policy to permit traffic from the trust zone to the VPN zone.

    Create the security policy to permit traffic from the VPN zone to the trust zone.

  7. Configure Ethernet interface information.

    Configure st0 interface with the family set as inet.

  8. Configure security zones.

Results

Check the results of the configuration:

Make sure that you already have a server certificate to attach with the SSL termination profile.

Verification

To confirm that the configuration is working properly, enter the following show commands.

Verify IPsec, IKE, and Group Information

Purpose

Display the possible outcomes list based on the LDAP server response when you use JUNIPER_SECURE_CONNECT access profile and configure ldap-options within the profile.

Action

From operational mode, enter these commands:

Meaning

Command output provides details of matched group.