- play_arrow Juniper Secure Connect Overview
- play_arrow Get Started with Juniper Secure Connect
- play_arrow Configure Juniper Secure Connect
- play_arrow Monitor Juniper Secure Connect
- play_arrow Migrate to Juniper Secure Connect
- play_arrow Juniper Secure Connect for Windows
- play_arrow Juniper Secure Connect for macOS
- play_arrow Juniper Secure Connect for Android
- play_arrow Juniper Secure Connect for iOS
Authentication in Juniper Secure Connect
Read this topic to understand about different user authentication methods in Juniper Secure Connect.
Users establishing secure connectivity with Juniper Secure Connect can authenticate in two ways: local or external authentication. Both methods come with certain restrictions, as described below.
Local Authentication—In local authentication, the SRX Series Firewall validates the user credentials by checking them in the local database. In this method, the administrator handles change of password or resetting of forgotten password. Here, it requires that an user must remember a new password. This option is not much preferred from a security standpoint.
External Authentication—In external authentication, you can allow the users to use the same user credentials that they use when accessing other resources on the network. In many cases, user credentials are domain logon used for Active Directory or any other Lightweight Directory Access Protocol (LDAP) authentication system. This method simplifies user experience and improves the organization’s security posture; because you can maintain the authorization system with the regular security policy used by your organization.
Multi Factor Authentication—To add an extra layer of protection, you can also enable Multi Factor Authentication (MFA). In this method, a RADIUS proxy is used to send a notification message to a device such as the users’ smart phone. Users must accept the notification message to complete the connection. See KB Article 73468.
LDAP Authentication using Juniper Secure Connect—Starting with Junos OS Release 23.1R1, we’ve introduced group-based controlled LDAP authorization. You can use the Lightweight Directory Access Protocol (LDAP) to define one or more LDAP groups. Use the
allowed-groupsstatement at the[edit access ldap-options]hierarchy level to specify the list of groups that LDAP authenticates. An user can belong to multiple LDAP groups. You can map the group to an address pool. Based on the LDAP group membership, the system assigns an IP addresses to the user.SAML-based Authentication—SAML is an XML-based framework where the two parties, the identity provider (IdP) and the service provider, exchange identity information about the remote user. SAML enables Single Sign-On (SSO), allowing users to log in once and then seamlessly access multiple applications without having to reenter their credentials each time.
Table 1 compares different authentication methods in Juniper Secure Connect.
| Authentication Methods | Credentials (Username and Password) | End-User Certificate | Local Authentication | External Authentication Radius | External Authentication LDAP | External Authentication IdP |
|---|---|---|---|---|---|---|
| IKEv1 - pre-shared-key | Yes | No | Yes | Yes | Yes | No |
| IKEv2-EAP-MSCHAPv2 | Yes | No | No | Yes | No | No |
| IKEv2-EAP-TLS | No | Yes | No | Yes | No | No |
| SAML-based Authentication (Proprietary IKEv2-EAP implementation) | Username only | No | No | No | No | Yes |
Regardless of the authentication method employed, you continue to use the username and password for external user authentication using the RADIUS server to download the initial configuration, even when implementing EAP-TLS authentication.
See the following topics to configure user authentication for Juniper Secure Connect.
CLI Procedures
J-Web Procedures