[j-nsp] SRX100 LDAP
Per Westerlund
p1 at westerlund.se
Wed Mar 19 08:42:34 EDT 2014
I was a but quick, the configuration under [edit access] is not the same on EX and SRX (of the versions I have).
Here is a working setup, although I am using RADIUS instead of LDAP. As long as you get the server details correct, that should not matter; they are both external authentication servers.
I have tried this both with FTP (text-based pass-through) as well as with HTTP (pass-through with web redirect). The crucial thing for me was the interface setting (fe-0/0/1); I had to set up a different address for the web authentication. Without that, I would only get the J-web login page instead.
/Per
(Not the complete config, just the relevant parts)
system {
services {
web-management {
http;
}
}
}
interfaces {
fe-0/0/0 {
description "ex1, ge-0/0/4, server network (untrust)";
unit 0 {
family inet {
address 172.16.10.1/24;
}
}
}
fe-0/0/1 {
description "ex1, ge-0/0/5, client network (trust)";
unit 0 {
family inet {
address 172.16.1.1/24 {
preferred;
}
address 172.16.1.2/24 {
web-authentication http;
}
}
}
}
}
security {
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
firewall-authentication {
pass-through {
access-profile TPAD;
web-redirect;
}
}
}
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
http;
}
}
interfaces {
fe-0/0/1.0;
}
}
security-zone untrust {
interfaces {
fe-0/0/0.0;
}
}
}
}
access {
profile TPAD {
authentication-order radius;
radius-server {
192.168.0.149 secret "$9$eqBML7wYojHm-VHmfT/9evW"; ## SECRET-DATA
}
}
firewall-authentication {
pass-through {
default-profile TPAD;
}
web-authentication {
default-profile TPAD;
}
}
}
More information about the juniper-nsp
mailing list