LISTSERV 16.0 - MSUNAG Archives

Re: [MSUNAG] Juniper SSG 140 configuration with LDAP authentication (Active Directory) I love the capabilities of Juniper devices, but configuration on them is second only to Cisco equipment as far as difficulty goes. I had a lot of luck working with their support team – the agent I talked to was more than happy to not only walk me through the configuration of the SSG to support Netscreen, but also to give me a hand with testing it and making sure everything functioned the way I needed it to.
----
Jack Kramer
Computer Systems Specialist
University Relations, Michigan State University
w: 517-884-1231 / c: 248-635-4955

> From: Stefan Ozminski <[log in to unmask]">[log in to unmask]>
> Reply-To: Stefan Ozminski <[log in to unmask]">[log in to unmask]>
> Date: Wed, 14 Oct 2009 19:57:48 -0400
> To: "[log in to unmask]">[log in to unmask]" <[log in to unmask]">[log in to unmask]>
> Subject: [MSUNAG] Juniper SSG 140 configuration with LDAP authentication
> (Active Directory)
>
> We have a Juniper Secure Services Gateway 140 (a firewall), which is a
> model that does not support the web based authentication and vpn
> connection used at vpn.msu.edu. The software that Juniper offers is
> Netscreen-Remote for the client (supported on Windows, and not the Mac).
>
> Admittedly, the Juniper SSG 140 has good security protocols for the vpn,
> and there are some nice pictures in the documentation. But the
> documentation is voluminous and the numerous restrictions for what
> options can be combined are not documented well. But the client
> software is not well integrated with the secure gateway server. The
> options for the different phases of negotiating the encryption for the
> vpn tunnel are in very different places, and the names are not the same
> between the server interface and the client configuration interface.
>
> I can create a single user vpn that supports L2TP with IPsec and a
> dynamic address (i.e. DHCP) on the client.
>
> I can create a multiple user vpn that only works with a fixed address on
> the client.
>
> If I try to mix the two, the SSG 140 won't let me get past the Phase 1
> negotiations. I looked through the documentation several times, and
> searched the Juniper website, and the multiple user vpn with dynamic
> address combination is not offered as an option.
>
> Has anyone found a configuration that supports a dynamic address on the
> client, a preshared key, a single IKE user account that permits multiple
> logins, and extended authentication through LDAP to a Windows Active
> Directory domain?
>
> If you have done it with certificates, I would like to hear about that too.
>
> If I get any responses, I can summarize to the list.
>
> -Stefan
>
> KBS Computer Services Helpdesk:
> [log in to unmask]">[log in to unmask]
> 269-671-2100 (from campus 199-2100)
>
> Stefan Ozminski
> Computer Services
> W.K. Kellogg Biological Station
> Michigan State University
> 3700 E. Gull Lake Dr.
> Hickory Corners, MI 49060
> Phone: 269-671-4427 (from campus 199-4427)
> [log in to unmask]">[log in to unmask]