Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Juniper Secure Connect User Guide Authentication in Juniper Secure Connect

Juniper Secure Connect User Guide

keyboard_arrow_up
close
keyboard_arrow_left
Juniper Secure Connect User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right

External User Authentication Using RADIUS

date_range 19-Dec-24
arrow_backward
arrow_forward

This configuration is more secure as it allows you to use the same username and password as your domain login as well as change or recover your credentials without interacting with the firewall administrator. It also adds less workload on the administrator as the password must be changed frequently. We recommend you to use this configuration for authenticating the user.

We assume that you have completed the basic setup of your SRX Series Firewalls, including interfaces, zones, and security policies as illustrated in the Juniper Secure Connect Deployment Setup.

For information about prerequisites, see System Requirements for Juniper Secure Connect.

Note:

You must ensure that the SRX Series Firewall uses either a signed certificate or a self-signed certificate instead of the default system-generated certificate. Before you start configuring Juniper Secure Connect, it is important that you read the instructions in Get Started with Juniper Secure Connect.

Configure Juniper Secure Connect VPN Settings

To configure VPN settings using the J-Web interface:

  1. Log in to your SRX Series Firewall using J-Web interface. Figure 1 shows J-Web login page.
    Figure 1: J-Web Access and Login J-Web Access and Login

    After logging in successfully, you land on the Basic Settings page. Figure 2 shows an example of the landing page.

    Figure 2: J-Web Landing Page J-Web Landing Page
  2. In the J-Web side pane, navigate to Network > VPN > IPsec VPN.

    1. After you click IPsec VPN, the IPsec VPN page appears. Figure 3 shows an example of the IPsec VPN page.

      Figure 3: IPsec VPN Page IPsec VPN Page

    2. At the right corner of the page, select Create VPN > Remote Access > Juniper Secure Connect to create the IPsec VPN setting for Juniper Secure Connect.

      The following warning message appears:

      Figure 4: Warning Message To Generate And Bind Self-signed Certificate Warning Message To Generate And Bind Self-signed Certificate

      As mentioned in the warning message, create a self-signed certificate and bind the certificate to the SRX Series Firewall. For more information, see Deploy Certificates for Juniper Secure Connect.

      For detailed information about creating a remote access VPN, see Create a Remote Access VPN—Juniper Secure Connect.

    3. Again navigate to Network > VPN > IPsec VPN and at the right corner of the page, select Create VPN > Remote Access > Juniper Secure Connect to create the IPsec VPN setting for Juniper Secure Connect. The Create Remote Access (Juniper Secure Connect) page appears. Figure 5 shows an example to create remote access VPN.

      Figure 5: Create VPN - Remote Access Create VPN - Remote Access

      Figure 6 shows an example of the create remote access page with pre-shared key authentication method.

      Figure 6: Create Remote Access Page For Pre-shared Key Authentication Method Create Remote Access Page For Pre-shared Key Authentication Method
  3. On the Create Remote Access (Juniper Secure Connect) page (see Figure 7):

    1. Enter the name for the Remote Access Connection (this is, the name that will be displayed on the End Users Realm Name in Juniper Secure Connect application) and a description.

    2. The routing mode is set to Traffic Selector (Auto Route Insertion) by default.

    3. Select the authentication method. For this example, let’s select Pre-shared Key from the drop-down menu.

    4. Select Yes to create the firewall policy automatically using the Auto-create Firewall Policy option.

    Figure 7: Create Remote Access PageCreate Remote Access Page
  4. Click Remote User icon to configure the Juniper Secure Connect application settings.
    Figure 8: Remote User PageRemote User Page

    Figure 8 shows an example of the Remote User page.

    Configure the remote user client by selecting the options on the Remote User page and then clicking OK :

    Table 1 summarizes the remote user settings options.

    Table 1: Remote User Client Settings Options

    Remote User Client Settings

    Description

    Default Profile

    The Default Profile is enabled by default. If you do not want this profile to be the default profile, click the toggle button.

    If you enable Default Profile for the VPN connection profile, Juniper Secure Connect automatically selects default profile as realm name (in this example: https://12.12.12.12/). In this case, it is optional to enter the realm name in Juniper Secure Connect.

    If you disable Default Profile for the VPN connection profile, you must enter the realm name along with the gateway address (in this example: https://12.12.12.12/JUNIPER_SECURE_CONNECT) in Juniper Secure Connect.

    Note:

    Starting in Junos OS 23.1R1 Release, default profile is deprecated in J-Web. However, in CLI—rather than immediately removing it—we provide backward compatibility and a chance to make your existing configuration conform to the changed configuration. You’ll receive a warning message if you continue to use the default-profile option in your configuration. However existing deployments are not affected if you modify the current configuration using CLI. See default-profile (Juniper Secure

    Connection Mode

    To establish the client connection manually or automatically, select the appropriate option.

    • If you select Manual, then in the Juniper Secure Connect application, to establish a connection, you must either click the toggle button or select Connection > Connect from the menu.

    • If you select Always, then Juniper Secure Connect automatically establishes the connection.

    Known Limitation:

    Android device: If you use or select Always, then the configuration is downloaded from the first used SRX device. If the first SRX Series Firewall configuration changes or if you connect to a new SRX device, the configuration does not get downloaded to the Juniper Secure Connect application.

    This means that once you connect in the Always mode using the Android device, any configuration changes in the SRX Series Firewall do not take effect on Juniper Secure Connect.

    SSL VPN

    To enable support for SSL VPN connection from the Juniper Secure Connect application to the SRX Series Firewalls, click the toggle button. Use this option when IPsec ports are not allowed. By enabling SSL VPN, the client has the flexibility in connecting the SRX Series Firewalls. By default, SSL VPN is enabled.

    Biometric authentication

    This option is disabled by default. If you enable this option, when you click connect in Juniper Secure Connect, Juniper Secure Connect displays an authentication prompt.

    This option allows the user to protect their credentials using the operating system’s built-in biometric authentication support.

    Dead Peer Detection

    Dead Peer Detection (DPD) is enabled by default to allow the client to detect if the SRX Series Firewall is not reachable, disable the connection till reachability is restored.

    Windows Logon

    This option allows users to logon to the local Windows system through an already established VPN tunnel (using Windows Pre-Logon), so that it is authenticated to the central Windows domain or Active Directory.

  5. Click Local Gateway to configure the Local Gateway settings.

    Figure 9 shows an example of the local gateway configuration settings.

    Figure 9: Local Gateway ConfigurationLocal Gateway Configuration

    1. If you enable Gateway is behind NAT, a text box appears. In the text box, enter the NAT IP address. We support only IPv4 addresses. NAT address is the external address.

    2. Enter a IKE ID in user@hostname.com format. For example, abc@xyz.com.

    3. In the External Interface field, select the IP address for the clients to connect. You must enter this same IP address (in this example: https://12.12.12.12/) for the Gateway Address field in the Juniper Secure Connect application.

      If you enable Gateway is behind NAT, then the NAT IP address becomes the gateway address.

    4. From the Tunnel Interface drop-down list, select an interface to bind it to the route-based VPN. Alternatively click Add. If you click Add, the Create Tunnel Interface page appears.

      Figure 10 shows an example of the Create Tunnel Interface page.

      Figure 10: Create Tunnel Interface PageCreate Tunnel Interface Page

      The next available ST0 logical interface number is displayed in the Interface Unit field and you can enter a description for this interface. Select the zone to add this tunnel interface to. If Auto-create Firewall Policy (in Create Remote Access page) is set to Yes, the firewall policy uses this zone. Click OK.

    5. Enter the preshared key in ASCII format. We do not support hexadecimal format for remote-access VPN.

    6. From the User Authentication drop-down list, select an existing access profile or click Add to create a new access profile. If you click Add, the Create Access Profile page appears.

      Figure 11 shows an example of the Create Access Profile page.

      Figure 11: Create Access Profile PageCreate Access Profile Page

      Enter the access profile name. From the Address Assignment drop-down list, select an address pool or click Create Address Pool. If you click Create Address Pool, the Create Address Pool page appears.

      The Create Address Pool window appears.

      Figure 12 shows an example of the Create Address Pool page.

      Figure 12: Create Address Pool PageCreate Address Pool Page

      • Enter the details for the local IP pool that is in the VPN policy for the clients. Enter a name for the IP address pool.

      • Enter the network address that you use for the address assignment.

      • Enter your DNS server address. Enter WINS server details, if required. Now click the add icon (+) to create the address range to assign IP addresses to the clients.

      • Enter the name, and the lower and higher limits. After entering the details, click OK.

      Select the RADIUS check box, where all the authentication details are stored on an external radius server.

      • Click the add icon (+) to configure the radius server details. See Figure 13.

        Figure 13: Create RADIUS Server PageCreate RADIUS Server Page

      • Enter the Radius Server IP Address, the Radius Secret, and Source Address for the radius communications to be sourced from. Click OK.

        In the Authentication Order, from Order 1 drop-down list select RADIUS. Click OK to complete the access profile configuration.

        Figure 14 shows an example of Create Access Profile page.

        Figure 14: Create Access Profile PageCreate Access Profile Page

    7. From the SSL VPN Profile drop-down list, select an existing profile or click Add to create a new SSL VPN profile. If you click Add, the Add SSL VPN Profile page appears.

      Figure 15 shows an example of the Add SSL VPN Profile page.

      Figure 15: Add SSL VPN Profile Page Add SSL VPN Profile Page

      On the Add SSL VPN Profile page, you can configure the SSL VPN profile. Enter the SSL VPN profile name in the Name field, and enable logging using the toggle, if required. In the SSL Termination Profile field, select the SSL termination profile from the dropdown list. SSL termination is a process where the SRX Series Firewalls acts as an SSL proxy server, and terminates the SSL session from the client. If you want to create a new SSL termination profile, click Add. The Create SSL Termination Profile page appears.

      Figure 16 shows an example of the Create SSL Termination Profile page.

      Figure 16: Create SSL Termination Profile Page Create SSL Termination Profile Page

      • Enter the name for the SSL termination profile and select the server certificate that you use for the SSL termination on the SRX Series Firewalls. Click Add to add a new server certificate or click Import to import the server certificate. The server certificate is a local certificate identifier. Server certificates are used to authenticate the identity of a server.

      • Click OK.

    8. The Source NAT Traffic option is enabled by default. When Source NAT Traffic is enabled, all traffic from the Juniper Secure Connect application is NATed to the selected interface by default. Click the toggle button to disable the Source NAT Traffic option. If the option is disabled, you must ensure that you have a route from your network pointing to the SRX Series Firewalls for handling the return traffic correctly.

    9. Under Protected Networks, click the add icon (+) to select the networks that the Juniper Secure Connect application can connect to.

      Figure 17 shows an example of the Create Protected Networks page.

      Figure 17: Create Protected Networks PageCreate Protected Networks Page

      By default, any network 0.0.0.0/0 is allowed. If you configure a specific network, split tunneling for Juniper Secure Connect application is enabled. If you retain the default value, you can restrict access to your defined networks by adjusting the firewall policy from the client network. Click OK, and the selected networks are now in the list of protected networks. Click OK to complete the local gateway configuration.

      Figure 18 shows an example of successful completion of remote access configuration with remote user and local gateway.

      Figure 18: Complete Remote Access ConfigurationComplete Remote Access Configuration

      IKE Settings and IPsec Settings are advanced options. J-Web is already configured with default values for the IKE and IPsec parameters. It is not mandatory to configure these settings.

  6. You can now find the URL for the remote users to connect to. Copy and store this URL for sharing with your remote users. You need only the /xxxx information if this configuration is not your default profile.

    Figure 19 highlights the URL that remote user must enter in the Gateway address field in Juniper Secure Connect application to establish remote access connection.

    Figure 19: Commit Remote Access ConfigurationCommit Remote Access Configuration

    1. Click Save to complete the Juniper Secure Connect VPN configuration and associated policy if you have selected the auto policy creation option.

    2. Click the highlighted Commit button (at the top right of the page next to Feedback Button) to commit the configuration.

Download and install Juniper Secure Connect application on the client machine. Launch Juniper Secure Connect and connect to the gateway address of the SRX Series Firewall.

Related Documentation

arrow_backward PREVIOUS Local User Authentication Using Pre-shared Key
NEXT arrow_forward Certificate-Based Validation Using EAP-MSCHAPv2 Authentication
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top