View Only
last person joined: 17 days ago 

Ask questions and share experiences about the SRX Series.

Setting up LDAPS on the SRX345

  • 1.  Setting up LDAPS on the SRX345

    Posted 11-19-2021 05:44
    Edited by emacdermid 11-19-2021 12:01

    Hi all

    What i would like to get out of this, Is to have our staff members authenticate on the Secure Connect VPN with their AD accounts.

    I was hoping someone could give me some pointers as the correct way to set this up I have setup one of my AD servers to be the LDAP server (that's all fine)

    I am asking for some guidance on getting the LDAPS client setup correctly on my SRX345 running junos-srxsme-21.2R1.10

    I have scoured looking for guides to do this and the one i found wasn't the clearest,

    Any help would be greatly appreciated

    Also, I have had very conflicted responses as to if this would work for the Juniper Secure Connect VPN or is this only for logging onto the SRX itself?

    This is my current CLI config steps


    root@WEB-FW# set system ldap-server address (server IP)
    {primary:node0}[edit system ldap-server]root@WEB-FW# set base DC=ad,DC=xyz,DC=com
    {primary:node0}[edit system ldap-server]root@WEB-FW# set binddn CN=administrator,DC=ad,DC=xyz,DC=com
    {primary:node0}[edit system ldap-server]

    root@WEB-FW# set bindpw *******(administrator password used here)
    {primary:node0}[edit system ldap-server]

    root@WEB-FW# set ldaps-cert (Name of server certificate)
    {primary:node0}[edit system ldap-server]

    root@WEB-FW# set port 50001
    {primary:node0}[edit system ldap-server]

    root@WEB-FW# show

    address (Server IP)

    port 50001;

    base DC=ad,DC=xyz,DC=com;

    binddn CN=administrator,DC=ad,DC=xyz,DC=com;

    bindpw "*********";

    ldaps-cert (Name of server certificate)

    Do i have to import the Certificate that was created on my Server? (name of server)

    If someone could be so kind as to supply me with all the commands i need to run,

    I would be immensely grateful

    For ref i followed this guide.

    I have also found this simple guide

    * create an access profile
    edit access profile JSC-RA-PROFILE
    set authentication-order ldap

    * use an existing address pool
    set address-assignment RAS-POOL1

    * reset the values for windowsdomain companyname and local approriately for your windows domain
    set ldap-options base-distinguished-name DC=windowsdomain,DC=companyname,DC=local

    * gotta have this line as is
    set ldap-options search search-filter sAMAccountNAme=

    * create a non-admin account to authenticate users. make sure you have CN correct for this user
    * if you think there may be (or may not be) a space in the CN - use ADSI (inside the windows administrative tools)
    * to make sure you have it correct
    set ldap-options search admin-search distinguished-name CN=VPNAuth,CN=Users,DC=windowsdomain,DC=companyname,DC=local

    * password for VPNAuth
    set ldap-options search admin-search password "MyPasswordInWindowsForVPNAuth"

    * server(s) ip address(es)
    set ldap-server port 389

    with a completely different setup method to the juniper one