Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

External User Authentication (CLI Procedure)

Overview

This configuration is more secure as it allows you to use the same username and password as your domain login as well as change or recover your credentials without interacting with the firewall administrator. It also adds less workload on the administrator as the password must be changed frequently. We recommend you to use this configuration for authenticating the user.

We assume that you have completed the basic setup of your SRX Series Firewalls, including interfaces, zones, and security policies as illustrated in the Figure 1.

Figure 1: Topology Topology

For information about prerequisites, see System Requirements for Juniper Secure Connect.

You must ensure that the SRX Series Firewall uses either a signed certificate or a self-signed certificate instead of the default system-generated certificate. Before you start configuring Juniper Secure Connect, you must bind the certificate to the SRX Series Firewall by executing the following command:

For example:

Where SRX_Certificate is the certificate obtained from CA or self-signed certificate.

CLI Quick Configuration

To quickly configure this example on your SRX Series Firewalls, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step-Procedure

To configure VPN settings using the command line interface:

  1. Log in to your SRX Series Firewall using the command line interface (CLI).
  2. Enter the configuration mode.
  3. Configure remote access VPN.

    For deploying Juniper Secure Connect, you must create a self-signed certificate and bind the certificate to the SRX Series Firewall. For more information, see Get Started with Juniper Secure Connect.

    IKE Configuration:

    1. Configure IKE proposal.
      • Define IKE proposal authentication method, Diffie-Hellman group, and authentication algorithm.
      • Configure pre-shared-keys as the authentication method. Enter the preshared key in ASCII format. We do not support hexadecimal format for remote-access VPN.
    2. Configure IKE policy.

      Set the IKE Phase 1 policy mode, reference to the IKE proposal, and IKE Phase 1 policy authentication method.

    3. Configure IKE gateway options. See dynamic.

      If you do not configure the DPD values and the version information, the Junos OS assigns the default value for these options. See dead-peer-detection.

      Configure external interface IP address for the clients to connect. You must enter this same IP address (in this example: https://192.0.2.0/) for the Gateway Address field in the Juniper Secure Connect application. See gateway.

    IPsec Configuration:

    1. Configure IPsec proposal.
    2. Configure IPsec policy.
      • Specify IPsec phase 2 PFS to use Diffie-Hellman group 19.
      • Specify IPsec Phase 2 proposal reference.

    IPsec VPN Configuration:

    1. Configure IPsec VPN parameters. See vpn (Security).
    2. Configure VPN traffic selectors. See traffic-selector.
  4. Configure the remote user client options.
    1. Configure remote access profile. See remote-access.
    2. Configure multi device user access for remote acess.

      To configure multidevice user access, ensure that the following prerequisites are met:

      • Secure Connect client version is supported.

      • Each of the remote devices (computers or smart devices) has a unique hostname.

      • To reduce license consumption, you can configure idle timeout options using set security ipsec vpn vpn-nameike idle-time command to disconnect inactive connections.

      • Supports only group-ike-id.

      You can clear all the IKE associations of a user using the command clear security ike active-peer aaa-username user-name.

      The multi device user access feature does not work with static IP address assignment using radius attribute Framed-IP-Address. The user's first connection will succeed, but the subsequent connections may fail.

      The authd process assigns the static address, providing the user with a configured IP address for their first connection. For subsequent connections, the authd process selects a free IP from the pool using the set access address-assignment pool family [inet|inet6] host ip-address user-name command.

    3. Configure remote access client configuration. See client-config.

    Table 1 summarizes the remote user settings options.

    Table 1: Remote User Settings Options

    Remote User Settings

    Description

    connection-mode

    To establish the client connection manually or automatically, configure the appropriate option.

    • If you configure manual option, then in the Juniper Secure Connect application, to establish a connection, you must either click the toggle button or select Connection > Connect from the menu.

    • If you configure Always option, then Juniper Secure Connect automatically establishes the connection.

    Known Limitation:

    Android device: If you use or select Always, then the configuration is downloaded from the first used SRX device. If the first SRX Series Firewall configuration changes or if you connect to a new SRX device, the configuration does not get downloaded to the Juniper Secure Connect application.

    This means that once you connect in the Always mode using the Android device, any configuration changes in the SRX Series Firewall do not take effect on Juniper Secure Connect.

    dead-peer-detection

    Dead Peer Detection (DPD) is enabled by default to allow the client to detect if the SRX Series Firewall is reachable and if the device is not reachable, disable the connection till reachability is restored.

    default -profile

    If you configure a VPN connection profile as a default-profile, then you must enter only the gateway address in the Juniper Secure Connect application. It is optional to enter the realm name in Juniper Secure Connect application, as the application automatically selects default profile as realm name. In this example, enter ra.example.com in the Gateway Address field of the Juniper Secure Connect application.

    Note:

    Starting in Junos OS Release 23.1R1, we’ve hidden the default-profile option at the [edit security remote-access] hierarchy level. In releases before Junos OS Release 23.1R1, you use this option to specify one of the remote-access profiles as the default profile in Juniper Secure Connect. But with changes to the format of remote-access profile names, we no longer require the default-profile option.

    We’ve deprecated default-profile option—rather than immediately removing it—to provide backward compatibility and a chance to make your existing configuration conform to the changed configuration. You’ll receive a warning message if you continue to use the default-profile option in your configuration. However existing deployments are not affected if you modify the current configuration. See default-profile (Juniper Secure Connect).

  5. Configure the local gateway.
    1. Create address pool for client dynamic-IP assignment. See address-assignment (Access).
      • Enter the network address that you use for the address assignment.

      • Enter your DNS server address. Enter WINS server details, if required. Create the address range to assign IP addresses to the clients.

      • Enter the name, and the lower and higher limits.

    2. Create access profile.

      For external user authentication, provide Radius Server IP Address, the Radius Secret, and Source Address for the radius communications to be sourced from. Configure radius for the authentication order.

    3. Create SSL termination profile. SSL termination is a process where the SRX Series Firewalls acts as an SSL proxy server, and terminates the SSL session from the client. Enter the name for the SSL termination profile and select the server certificate that you use for the SSL termination on the SRX Series Firewalls. The server certificate is a local certificate identifier. Server certificates are used to authenticate the identity of a server.
    4. Create SSL VPN profile. See tcp-encap.
    5. Create firewall policies.
      Create the security policy to permit traffic from the trust zone to the VPN zone.
      Create the security policy to permit traffic from the VPN zone to the trust zone.
  6. Configure Ethernet interface information.

    Configure st0 interface with the family set as inet.

  7. Configure security zones.
  8. Remote access configuration with remote user and local gateway is configured successfully.
  9. Launch the Juniper Secure Connect application and provide the same IP address that you configured for external IP address in the Gateway Address field in the Juniper Secure Connect application.

    In this example, you’ve configured 192.0.2.0 as the external interface IP address for the clients to connect. You must enter this same IP address (192.0.2.0) for the Gateway Address field in the Juniper Secure Connect application.

Result

From operational mode, confirm your configuration by entering the show security, show access, and show services commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Make sure that you already have a server certificate to attach with the SSL termination profile.

When you are done configuring the feature on your device, enter commit from configuration mode.