Stefan,
You may want to contact the ATS Network Security group for this. They got this working for us in exactly the mode you are looking for. Nicholas Oas is our contact and is pretty familiar with our setup.
What it boils down to is you have to setup a static user-id that allows authentication for phase-1 authentication with a PSK. You would then need to setup Extended Authentication that you can tie to the Active-Directory authentication. Without turning on that Extended Authentication mode, you can only have one person connected at a time per account configuration.
We currently have about 150+ users configured in this mode, some of them use it 8 hours a day. It works really well.
If you continue to use the NetScreen Remote software, you can actually bake all the settings into a configuration file, so all the user would have to do is double click the configuration file and everything is setup. For Mac OSX, we've deployed VPN Tracker from Equinux which is a pretty nice program as well (but does cost money).
-Nick Kwiatkowski
MSU Telecom Systems
-----Original Message-----
From: MSU Network Administrators Group [mailto:[log in to unmask]] On Behalf Of Stefan Ozminski
Sent: Wednesday, October 14, 2009 7:58 PM
To: [log in to unmask]
Subject: [MSUNAG] Juniper SSG 140 configuration with LDAP authentication (Active Directory)
We have a Juniper Secure Services Gateway 140 (a firewall), which is a
model that does not support the web based authentication and vpn
connection used at vpn.msu.edu. The software that Juniper offers is
Netscreen-Remote for the client (supported on Windows, and not the Mac).
Admittedly, the Juniper SSG 140 has good security protocols for the vpn,
and there are some nice pictures in the documentation. But the
documentation is voluminous and the numerous restrictions for what
options can be combined are not documented well. But the client
software is not well integrated with the secure gateway server. The
options for the different phases of negotiating the encryption for the
vpn tunnel are in very different places, and the names are not the same
between the server interface and the client configuration interface.
I can create a single user vpn that supports L2TP with IPsec and a
dynamic address (i.e. DHCP) on the client.
I can create a multiple user vpn that only works with a fixed address on
the client.
If I try to mix the two, the SSG 140 won't let me get past the Phase 1
negotiations. I looked through the documentation several times, and
searched the Juniper website, and the multiple user vpn with dynamic
address combination is not offered as an option.
Has anyone found a configuration that supports a dynamic address on the
client, a preshared key, a single IKE user account that permits multiple
logins, and extended authentication through LDAP to a Windows Active
Directory domain?
If you have done it with certificates, I would like to hear about that too.
If I get any responses, I can summarize to the list.
-Stefan
KBS Computer Services Helpdesk:
[log in to unmask]
269-671-2100 (from campus 199-2100)
Stefan Ozminski
Computer Services
W.K. Kellogg Biological Station
Michigan State University
3700 E. Gull Lake Dr.
Hickory Corners, MI 49060
Phone: 269-671-4427 (from campus 199-4427)
[log in to unmask]
|