Screen OS

 View Only
last person joined: one year ago 

This is a legacy community with limited Juniper monitoring.
Expand all | Collapse all

LDAP Authentication Problems

  • 1.  LDAP Authentication Problems

    Posted 09-21-2009 10:32

    I've got a Netscreen 50 running firmware version: Version: 5.3.0r3.0 (Firewall+VPN) 

     

    I've been trying to get all of my systems sync'ing with my Active Directory (Windows Server 2008) for all users/passwords.  I've done this with other applications using the LDAP of the active directory.  I can succesfully connect to my LDAP with an LDAP browser and my other applications.  These successful applications require that I put the Domain name in front of the username.  My example is Domain "SAF", and user tjohnston, so these settings connect successfully with "SAF\tjohnston" and the password.

     

    When I try the same settings in the Netscreen I get log entry:

     

    User SAF johnston at 10.100.1.223 has been rejected via the LDAP server at 10.6.31.164 (which is the IP of my client, and LDAP server)

     

    In this example it's interpriting the '\t' in my username as a tab.  I've tried putting 2 slashes ("SAF\\tjohnston"), but even though the Netscreen reports the correct username (SAF\tjohnston) it still says it's denied by the LDAP, despite the fact that I can copy and paste the DN from the firewall into my LDAP browser and can connect. 

     

    Is there some way to get the Netscreen to put the domain in front of all of my Users' names?  Is there something I'm missing?  Why would the settings that work with my LDAP browser not work with the Netscreen?

     

    Thanks,

     

    Tommy 

    Message Edited by Tjohnston on 09-21-2009 10:44 AM

    #ldap
    #authentication


  • 2.  RE: LDAP Authentication Problems

    Posted 09-22-2009 14:34

    Hi,

     

    As far i as know, there is no support for windows authentication method on ScreenOS ( LanManager, NTLMv1 or NTLMv2) and it is just what you are trying to use when you are using " Domainname\Username".

    Active Directory is supported using LDAP v2 ( no V3) and maybe you could also Radius with NPS Windows 2008 role ( it is a Radius server ).

     

    Just try to login using only "Username" after setting the Screenos to search for the SamAccountName attribute.

    It is what i usually do and it works. 

     

    Another point : the only way to secure ldap traffic from the screenos to AD is to encapsulate it in an ipsec vpn.there is no support for LDAPS or LDAP/TLS.

     

     



  • 3.  RE: LDAP Authentication Problems

    Posted 09-22-2009 15:24

    Hey Tommy - the first reply to this post was great in terms of how ScreenOS works (or doesn't) with AD boxes. I personally would recommend that you look to enabling the radius I/F on W2K8 box (through IAS) as if you decide you want to do more than simply use it for passwords you can get into role assignments, etc. with radius.

     

    LDAP on ScreenOS is very, very limited - all you can do is authenticate, not poll for Groups......



  • 4.  RE: LDAP Authentication Problems

    Posted 09-24-2009 07:13

    I guess I'll just have to use something else since I can't use the LDAP.  I've played with Radius in the past without any luck.

     

    Does anybody have any recommended Walk throughs for Authentication between Windows Active Directory and Netscreen?  I'm a bit of a newbie in the Admin role and need a little bit more guidance.

    Update:
    I found this article:
    It has step by step instructions to set up a Netscreen for Radius Auth for VPN access with Windows 2003 or 2008.  I think I could follow most of these steps, but I'm wondering if I would need to do anything different since I'm not needing the VPN access.  I would prefer not to open any exteral access that isn't necessary.  Can somebody advise me what I might need to do differently for just Authentication instead of VPN?
     Thanks,
    Tommy
    Message Edited by Tjohnston on 09-24-2009 08:29 AM


  • 5.  RE: LDAP Authentication Problems

    Posted 09-24-2009 12:09

    Active Directory and Netscreen do not work together. You can get the LDAP to work, it is just not as good as radius it you want to get detailed in terms of various permissions and stuff like that. I do have radius working against ScreenOS firewalls. I use W2K3 and W2K8 IAS(3) and NPS(8) and would be glad to give you the details if you would like to go the radius route.

     

    I have gotten LDAP to work in the past and could probably find some notes on it also if you want to stick with that solution. Just let me know!

    Message Edited by muttbarker on 09-24-2009 12:16 PM


  • 6.  RE: LDAP Authentication Problems

    Posted 09-24-2009 13:19

    I just did some testing for fun (bored while eating lunch 🙂

     

    I was able to get LDAP to work sucessfully for authentication of the Netscreen box. The only issue I found is that it is using the Distiguished Name (DN) for the login - not samaccountname (which maps to login name). I messed with it a bit and was not able to create some attributes that would allow me to use the samaccountname value instead of DN. As DN is usually pulled from the display name plus the rest of the LDAP string (ie- cn=users,dc=xxx,dc=com) I don't think that this is what you want.

     

    However, it does work and was pretty simple to get up. Let me know if you want any more details.



  • 7.  RE: LDAP Authentication Problems

    Posted 09-25-2009 06:05

    Hey Kevin,

     

    Thanks for the help.  I would like to keep trying the LDAP because that would use exisiting software components.  I'm not really using any of the group information at the moment.  Our Local DB on the Netscreen just holds Usernames/PWs.  Everybody has the same permissions at the moment.

     

    Here are the settings from my Netscreen:  My DC IP address is 10.6.31.164, and my domain is saf.sc.gov.  My current DN is: OU=SAF_USERS,DC=saf,DC=sc,DC=gov.  The CN I'm using is just CN.  (I'm not sure if I should be putting anything else there...)

     

    I'm using JXplorer as an independent test to browse the LDAP.  With these settings it works only with the samaccountname (i.e. SAF\<username>).  JXplorer doesn't give me the option of a CN, so I'm not sure how to test for that setting.

     

    Any ideas on what I should try to get it to work?  Ideally I'd like to use only the username instead of the full samaccountname.

     

    Thanks!

     

    Tommy



  • 8.  RE: LDAP Authentication Problems
    Best Answer

    Posted 09-25-2009 13:35
      |   view attached

    Hey Tommy - did not have any real chance to see how fancy I could get with it. I did determine the following. You can very easily login use the full distinguished name. To do so you would setup the Auth Server for LDAP using the auth type of admin. The common name identfier is usually going to be "cn" then you would place the remainder of the DN string (less your name) in the Distringuished Name (DN) field.

     

    IE - my full DN for me cn=Kevin Barker, cn=Users, DC=itg, DC=com

     

    so the string in Distinguished Name field is: cn=Users, DC=itg, DC=com

     

    The value common name identifier is "cn" and the when I login with "Kevin Barker" it builds the string out to map to my fully qualfied DN.

     

    I wanted to find some way to use another value like samaccountname or userprincipalname (login name) but did not have time to test. Hope this helps a little. Also found a nice tool that gives you fully qualfied DN values. It is in the zip file. Just unzip it - then from a logged in session run it and it returns your full DN value.

     

    Message Edited by muttbarker on 09-25-2009 01:35 PM

    Attachment(s)

    zip
    GetMyDN.zip   19 KB 1 version


  • 9.  RE: LDAP Authentication Problems

    Posted 10-13-2009 10:44

    Thanks Kevin.  I was able to get the LDAP working when I tried the "Full Name" value.  I had my user set up with the default full name: Test User.  The userid was tuser.  I found out the Display name in the Active directory was what showed in the Address book and with Outlook.  I'm sure it's not the best soultion, but I set the "Full Name" to the user id for all my users, and it looks like the LDAP is working properly.

     

    The only question I've got is related to the length of the authentication.  With my local authentication the users had to authenticate once per day.  It seems the LDAP is forcing a login once, but it doesn't seem to expire after days.  I had one example with the machine shut down for 5 days or so.  When it was powered up and tried to access the web, there was no prompt for user/pw.

     

    I don't want my users to authenticate once with the Active Directory.  It is preferable to have a once a day requirement.  I didn't see any settings about the length of the authentication.  Does anybody know if there's a way to set the time that it takes for a user's authentication to expire?

     

    Thanks,

     

    Tommy



  • 10.  RE: LDAP Authentication Problems

    Posted 10-16-2009 14:42
    You can use the "forced timeout" option on the entry for the LDAP auth server itself. It is set in minutes and will kill the auth and the sessions. That is the only option that I know of.


  • 11.  RE: LDAP Authentication Problems

    Posted 10-20-2009 03:54

     

    Hi muttbarker

     

    Many thanks for yuor tool 

     

    thnaks



  • 12.  RE: LDAP Authentication Problems

    Posted 10-20-2009 03:56

    Hi Kevin 

    Many thanks for yuor tool 

     

    thnaks



  • 13.  RE: LDAP Authentication Problems

    Posted 02-08-2011 14:56

    Kevin

    I found this old post relevent to an issue I am currently having with my SSG-20 I setup today to authenticate VPN clients to LDAP. The JTAC tech and I could only get a successful login if we used the display name and password vice username and password. How do I get that username to work so I don't have to tell the remote users to use their display name vice their username?

    Thanks!

    Matt Lenco

    mlenco@sms-fed.com



  • 14.  RE: LDAP Authentication Problems

    Posted 02-08-2011 16:40

    Hey Mateo - traveling so I don't have direct access to my boxes as an admin - but if memory serves me you CAN'T use username (samaccountname in LDAP terms) - ScreenOS does not let you define it.

     

    My recommendation would be to use Radius against your AD server, not LDAP.