Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Certificate-Based Validation Using EAP-TLS Authentication (CLI Procedure)

Overview

In this configuration, you use the EAP-TLS authentication method to validate the user certificates. You continue to use the username and password for external user authentication using the RADIUS server to download the initial configuration from the SRX Series Firewall.

We assume that you have completed the basic setup of your SRX Series Firewalls, including interfaces, zones, and security policies as illustrated in the Figure 1.

Figure 1: Topology Topology

For information about prerequisites, see System Requirements for Juniper Secure Connect.

Ensure that you have a Public Key Infrastructure (PKI) configured as the backend authentication. In this case, you need to install the root certificate of the CA on each client as well as a user specific certificate on each client device. Note that local authentication is not supported in this scenario.

You must ensure that the SRX Series Firewall uses either a signed certificate or a self-signed certificate instead of the default system-generated certificate. Before you start configuring Juniper Secure Connect, you must bind the certificate to the SRX Series Firewall by executing the following command:

For example:

Where SRX_Certificate is the self-signed certificate.

CLI Quick Configuration

To quickly configure this example on your SRX Series Firewalls, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step-Procedure

To configure VPN settings using the command line interface:

  1. Log in to your SRX Series Firewall using the command line interface (CLI).
  2. Enter the configuration mode.
  3. Configure remote access VPN.

    For deploying Juniper Secure Connect, you must create a self-signed certificate and bind the certificate to the SRX Series Firewall. For more information, see Get Started with Juniper Secure Connect.

    IKE Configuration:

    1. Configure IKE proposal.

      Configure rsa-signatures as authentication method to configure certificate-based authentication.

      Enable this option for the authentication process. IKEv2 requires EAP for user authentication. SRX Series Firewall cannot act as an EAP server. An external RADIUS server must be used for IKEv2 EAP to do the EAP authentication. SRX will act as a pass-through authenticator relaying EAP messages between the Juniper Secure Connect client and the RADIUS server.

      EAP-TLS is enabled by default when you select the certificate-based authentication method.

      Define IKE proposal authentication method, Diffie-Hellman group, and authentication algorithm.
    2. Configure IKE policy.

      Set the IKE Phase 1 policy mode, reference to the IKE proposal, and IKE Phase 1 policy authentication method.

      To load a local certificate, specify a particular local certificate using the set security ike policy policy-name certificate local-certificate certificate-id command when the local device has multiple loaded certificates. You can select one of the already externally signed local certificates. In this example, SRX_Certificate is the existing local certificate that is loaded for JUNIPER_SECURE_CONNECT policy.
      If you don't have an existing local certificate, you can create one by following these steps:
      After creating a local certificate, you can attach the certificate to an IKE policy using the set security ike policy policy-name certificate local-certificate certificate-id command.
    3. Configure IKE gateway options. See dynamic.

      If you do not configure the DPD values and the version information, the Junos OS assigns the default value for these options. See dead-peer-detection.

      Configure external interface IP address for the clients to connect. You must enter this same IP address (in this example: https://192.0.2.0) for the Gateway Address field in the Juniper Secure Connect application. See gateway.

    IPsec Configuration:

    1. Configure IPsec proposal.
      Specify the IPsec phase 2 proposal protocol, encryption algorithm, and other phase 2 options.
    2. Configure IPsec policy.
      • Specify IPsec phase 2 PFS to use Diffie-Hellman group 19.
      • Specify IPsec Phase 2 proposal reference.

    IPsec VPN Configuration:

    1. Configure IPsec VPN parameters. See vpn (Security).
    2. Configure VPN traffic selectors. See traffic-selector.
  4. Configure the remote user client options.
    1. Configure remote access profile. See remote-access.
    2. Configure remote access client configuration. See client-config.

    Table 1 summarizes the remote user settings options.

    Table 1: Remote User Settings Options

    Remote User Settings

    Description

    connection-mode

    To establish the client connection manually or automatically, configure the appropriate option.

    • If you configure manual option, then in the Juniper Secure Connect application, to establish a connection, you must either click the toggle button or select Connection > Connect from the menu.

    • If you configure Always option, then Juniper Secure Connect automatically establishes the connection.

    Known Limitation:

    Android device: If you use or select Always, then the configuration is downloaded from the first used SRX device. If the first SRX Series Firewall configuration changes or if you connect to a new SRX device, the configuration does not get downloaded to the Juniper Secure Connect application.

    This means that once you connect in the Always mode using the Android device, any configuration changes in the SRX Series Firewall do not take effect on Juniper Secure Connect.

    dead-peer-detection

    Dead Peer Detection (DPD) is enabled by default to allow the client to detect if the SRX Series Firewall is reachable and if the device is not reachable, disable the connection till reachability is restored.

    default -profile

    If you configure a VPN connection profile as a default-profile, then you must enter only the gateway address in the Juniper Secure Connect application. It is optional to enter the realm name in Juniper Secure Connect application, as the application automatically selects default profile as realm name. In this example, enter ra.example.com in the Gateway Address field of the Juniper Secure Connect application.

    Note:

    Starting in Junos OS Release 23.1R1, we’ve hidden the default-profile option at the [edit security remote-access] hierarchy level. In releases before Junos OS Release 23.1R1, you use this option to specify one of the remote-access profiles as the default profile in Juniper Secure Connect. But with changes to the format of remote-access profile names, we no longer require the default-profile option.

    We’ve deprecated default-profile option—rather than immediately removing it—to provide backward compatibility and a chance to make your existing configuration conform to the changed configuration. You’ll receive a warning message if you continue to use the default-profile option in your configuration. However existing deployments are not affected if you modify the current configuration. See default-profile (Juniper Secure Connect).

  5. Configure the local gateway.
    1. Create address pool for client dynamic-IP assignment. See address-assignment (Access).
      • Enter the network address that you use for the address assignment.

      • Enter your DNS server address. Enter WINS server details, if required. Create the address range to assign IP addresses to the clients.

      • Enter the name, and the lower and higher limits.

    2. Create access profile.

      For external user authentication, provide Radius Server IP Address, the Radius Secret, and Source Address for the radius communications to be sourced from. Configure radius for the authentication order.

    3. Configure public key infrastructure (PKI) attributes. See pki.
    4. Create SSL termination profile. SSL termination is a process where the SRX Series Firewalls acts as an SSL proxy server, and terminates the SSL session from the client. Enter the name for the SSL termination profile and select the server certificate that you use for the SSL termination on the SRX Series Firewalls. The server certificate is a local certificate identifier. Server certificates are used to authenticate the identity of a server.
    5. Create SSL VPN profile. See tcp-encap
    6. Create firewall policies.
      Create the security policy to permit traffic from the trust zone to the VPN zone.
      Create the security policy to permit traffic from the VPN zone to the trust zone.
  6. Configure Ethernet interface information.

    Configure st0 interface with the family set as inet.

  7. Configure security zones.
  8. Remote access configuration with remote user and local gateway is configured successfully.
  9. Launch the Juniper Secure Connect application and provide the same IP address that you configured for external IP address in the Gateway Address field in the Juniper Secure Connect application.

    In this example, you’ve configured https://192.0.2.0/ as the external interface IP address for the clients to connect. You must enter this same IP address (https://192.0.2.0/) for the Gateway Address field in the Juniper Secure Connect application.

Result

From operational mode, confirm your configuration by entering the show security, show access, and show security pki commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

When you are done configuring the feature on your device, enter commit from configuration mode.