SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Juniper Secure Connect - Users with Different Levels of Access?

    This message was posted by a user wishing to remain anonymous
    Posted 02-02-2022 19:53
    This message was posted by a user wishing to remain anonymous

    Hey folks.

    We're in the process of trying to migrate a number of our Cisco ISR's over to Juniper SRX'es.  One of the features that we use with our dynamic VPN setups on Cisco is the ability to have multiple VPN groups, each with a different level of access to the local resources.  So VPN user A might be able to access 10.0.0.0/24, while VPN user B might be locked down to just 10.0.0.10/32.

    I've been doing my darndest to try and mimic this setup on an SRX 300 in our lab, to no avail.  I can get basic VPN connectivity working, but every user seems to need to have the same access to local resources.

    I've opened a ticket with our vendor who is working with JTAC to determine:

    a) Is this setup possible?
    b) If so, how does one configure it?

    But so far, it has been more than a couple of weeks and I still have not even been able to get a straight answer on (a).   I've been given non-working config examples, which suggests that they believe it should be supported, but it's possible they're doing what I do when tackling lab-work, and simply throwing stuff at the wall to see what might stick.

    Has anybody tried to implement this, and if so, were they successful?

    I've tried configuring separate IKE gateways, IPSec VPN instances, remote access profiles, and access profiles for my two users that I'm trying to set up with different levels of access.  However, when attempting to connect using the Juniper Secure Connect app, it associates with the default access profiles and I don't appear to have any way to change/specify that in the app itself.

    I can change the default remote-access and access profiles via the SRX CLI, and that then forces all inbound VPN connection attempts to my alternate profiles, but it seems to be an all or nothing scenario.  (i.e. all users are forced to the same profiles, specified by what's configured as the 'default' on the SRX)



  • 2.  RE: Juniper Secure Connect - Users with Different Levels of Access?

    Posted 02-07-2022 19:13
    For the record, we have been told by JTAC (via our Juniper partner) that this feature isn't supported with Juniper Secure Connect.

    ------------------------------
    Tier 3 Technical Support
    ------------------------------



  • 3.  RE: Juniper Secure Connect - Users with Different Levels of Access?

    Posted 02-14-2022 09:46
    It turns out, this setup is supported (multiple Juniper Secure Connect users with different levels of access to local resources).  Or, perhaps if not supported, it does appear to work.  Here's how I got it going, if anybody is interested:

    • Separate access profiles for each 'group' sharing the same access levels.
    • Separate remote access profiles for each of those 'groups'.
    • Separate IPSec VPN configs for each.
    • Separate IKE Gateway configs for each.
      • I also gave them different user-at-hostname values, though I don't know if this was necessary or not.
    • Separate st0 interfaces for each.
      • I'm also not 100% sure if this is required, but this is how it's working right now.
    • The knowledge that to connect to a non-default remote access profile via Juniper Secure Connect, you have to try to connect to:



    ------------------------------
    Tier 3 Technical Support
    ------------------------------