SRX

Hi All,

Can multiple dynamic vpn access profiles be configured on the SRX 240 firewall ?  There is already an in production remote access dynamic vpn setup that uses LDAP authentication for users. We would like to create another vpn profile and have a radius server as the authenticator for one single user (as this just a test env). Is this possible on the SRX 240 firewall ? If not, then within the existing VPN config can a single user name be added in such a way that this user be authenticated by radius server and not ldap ? 

Hi Techvin

For DynVPN you could only configure one access-profile because only one can be configured under [edit security dynamic-vpn]. If you try configuring an extra profile, the first one will be overwritten. However, within a single access-profile you can specify more than one authentication method:

"Using the authentication-order statement, you can prioritize the order in which the Junos OS tries the different authentication methods when verifying user access to a router or switch."

Ref: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-authentication-order.html

You could configure LDAP and Radius under the same access-profile:

set access profile PROFILE_NAME authentication-order [ ldap radius ]

Ref: https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/access-edit-authentication-order.html

It is important to understand that all users will be checked against the different servers, upon a rejection:

"If an authentication server included in the [authentication-order] statement is not available, or if the authentication is available but returns a reject response, the Junos OS tries the next authentication method included in the authentication-order statement."

Ref: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-authentication-order.html

In your case, I am assuming that the Radius user is not configured on the LDAP server hence it will be rejected by the LDAP server and then it will be checked on the Radius and will be accepted.

Hope this helps you; please mark my comment as "Solution" if it applies.

Hi, Thanks for replying. The radius user is registered in the ldap server as well and cannot be decoupled that way due to further dependencies on SSO etc. Als this VPN is for end users to access internal resources and not access the switch or network infrastructure. I agree that there is a method to define two or more authentication methods but the requirement is to perform the authentication process as below:

1> Check vpn user credentials with the ldap and then upon successful authentication trigger the second method i.e radius server which in turn would send a MFA to vpn user thus establishing 2 factor authentication ? 

As mentioned and verified such kind of intercoupled authentication is not possible on the SRX rather it is check first method if failed go to next method.

Techvin,

As you mentioned, the SRX will evaluate the user against the LDAP server but if the autentication is succesful it wont check the Radius for the same user. This is as per design.

You might want to check if there are any options for MFA with the LDAP server.