 |
 |
Stefan, You may want to contact the ATS Network Security group for this. They got this working for us in exactly the mode you are looking for. Nicholas Oas is our contact and is pretty familiar with our setup. What it boils down to is you have to setup a static user-id that allows authentication for phase-1 authentication with a PSK. You would then need to setup Extended Authentication that you can tie to the Active-Directory authentication. Without turning on that Extended Authentication mode, you can only have one person connected at a time per account configuration. We currently have about 150+ users configured in this mode, some of them use it 8 hours a day. It works really well. If you continue to use the NetScreen Remote software, you can actually bake all the settings into a configuration file, so all the user would have to do is double click the configuration file and everything is setup. For Mac OSX, we've deployed VPN Tracker from Equinux which is a pretty nice program as well (but does cost money). -Nick Kwiatkowski MSU Telecom Systems -----Original Message----- From: MSU Network Administrators Group [mailto:[log in to unmask]] On Behalf Of Stefan Ozminski Sent: Wednesday, October 14, 2009 7:58 PM To: [log in to unmask] Subject: [MSUNAG] Juniper SSG 140 configuration with LDAP authentication (Active Directory) We have a Juniper Secure Services Gateway 140 (a firewall), which is a model that does not support the web based authentication and vpn connection used at vpn.msu.edu. The software that Juniper offers is Netscreen-Remote for the client (supported on Windows, and not the Mac). Admittedly, the Juniper SSG 140 has good security protocols for the vpn, and there are some nice pictures in the documentation. But the documentation is voluminous and the numerous restrictions for what options can be combined are not documented well. But the client software is not well integrated with the secure gateway server. The options for the different phases of negotiating the encryption for the vpn tunnel are in very different places, and the names are not the same between the server interface and the client configuration interface. I can create a single user vpn that supports L2TP with IPsec and a dynamic address (i.e. DHCP) on the client. I can create a multiple user vpn that only works with a fixed address on the client. If I try to mix the two, the SSG 140 won't let me get past the Phase 1 negotiations. I looked through the documentation several times, and searched the Juniper website, and the multiple user vpn with dynamic address combination is not offered as an option. Has anyone found a configuration that supports a dynamic address on the client, a preshared key, a single IKE user account that permits multiple logins, and extended authentication through LDAP to a Windows Active Directory domain? If you have done it with certificates, I would like to hear about that too. If I get any responses, I can summarize to the list. -Stefan KBS Computer Services Helpdesk: [log in to unmask] 269-671-2100 (from campus 199-2100) Stefan Ozminski Computer Services W.K. Kellogg Biological Station Michigan State University 3700 E. Gull Lake Dr. Hickory Corners, MI 49060 Phone: 269-671-4427 (from campus 199-4427) [log in to unmask]