This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.

Setting up LDAPS on the SRX345

  • 1.  Setting up LDAPS on the SRX345

    Posted 17 days ago

    Hi all

    What i would like to get out of this, Is to have our staff members authenticate on the Secure Connect VPN with their AD accounts.

    I was hoping someone could give me some pointers as the correct way to set this up I have setup one of my AD servers to be the LDAP server (that's all fine)

    I am asking for some guidance on getting the LDAPS client setup correctly on my SRX345 running junos-srxsme-21.2R1.10

    I have scoured looking for guides to do this and the one i found wasn't the clearest,

    Any help would be greatly appreciated

    Also, I have had very conflicted responses as to if this would work for the Juniper Secure Connect VPN or is this only for logging onto the SRX itself?

    This is my current CLI config steps


    root@WEB-FW# set system ldap-server address (server IP)
    {primary:node0}[edit system ldap-server]root@WEB-FW# set base DC=ad,DC=xyz,DC=com
    {primary:node0}[edit system ldap-server]root@WEB-FW# set binddn CN=administrator,DC=ad,DC=xyz,DC=com
    {primary:node0}[edit system ldap-server]

    root@WEB-FW# set bindpw *******(administrator password used here)
    {primary:node0}[edit system ldap-server]

    root@WEB-FW# set ldaps-cert (Name of server certificate)
    {primary:node0}[edit system ldap-server]

    root@WEB-FW# set port 50001
    {primary:node0}[edit system ldap-server]

    root@WEB-FW# show

    address (Server IP)

    port 50001;

    base DC=ad,DC=xyz,DC=com;

    binddn CN=administrator,DC=ad,DC=xyz,DC=com;

    bindpw "*********";

    ldaps-cert (Name of server certificate)

    Do i have to import the Certificate that was created on my Server? (name of server)

    If someone could be so kind as to supply me with all the commands i need to run,

    I would be immensely grateful

    For ref i followed this guide.

    I have also found this simple guide

    * create an access profile
    edit access profile JSC-RA-PROFILE
    set authentication-order ldap

    * use an existing address pool
    set address-assignment RAS-POOL1

    * reset the values for windowsdomain companyname and local approriately for your windows domain
    set ldap-options base-distinguished-name DC=windowsdomain,DC=companyname,DC=local

    * gotta have this line as is
    set ldap-options search search-filter sAMAccountNAme=

    * create a non-admin account to authenticate users. make sure you have CN correct for this user
    * if you think there may be (or may not be) a space in the CN - use ADSI (inside the windows administrative tools)
    * to make sure you have it correct
    set ldap-options search admin-search distinguished-name CN=VPNAuth,CN=Users,DC=windowsdomain,DC=companyname,DC=local

    * password for VPNAuth
    set ldap-options search admin-search password "MyPasswordInWindowsForVPNAuth"

    * server(s) ip address(es)
    set ldap-server port 389

    with a completely different setup method to the juniper one