Juniper SRX cannot use RADIUS authentication for client VPN?

We’ve been trying now literally for weeks to configure our Juniper SRX VPN using RADIUS authentication. We previously had a Cisco ASA 5510 and it worked fine but we moved to an SRX because it was much easier to administer and was about 1/3 the cost. For the most part we’ve been pretty happy with the SRX vs the ASA – common-sense features like saving previous configs for trivial rollback, a web gui that’s way easier to use than ASDM, etc. But this VPN thing is a real fiasco. Basically what we want to do is use the SRX to authenticate against our Active Directory using IAS.

The closest we’ve gotten so far is having the SRX authenticate via RADIUS but apparently we still need to maintain a local user list on the SRX itself, defeating the purpose of central authentication. We were sold 10 VPN licenses with the understanding that this meant we could have up to 10 simultaneous VPN connections open. Apparently that’s true, but we’d have to specify which 10 users can access the VPN, which won’t work for us.

This doesn’t seem like we’re trying to do anything exotic here but according to the vendor and JTAC support, they’re not aware of anyone doing this, and have no idea how to do it. The ticket’s been open with Juniper for over 1 month now. We’re at the point where we just want a refund for the VPN licenses rather than continuing to bang our heads against the wall with this. The vendor originally wanted us to buy an SA VPN appliance in addition to the SRX, but assured us the SRX would do what we needed with the caveat that the JunOS Pulse client for the SRX VPN was kind of crappy.

So after opening tickets in JTAC and the vendor’s support system, the net result apparently is that this is actually not possible. Not only is it not possible but everybody acts like we’re trying to do some strange voodoo. I mean, we have other stuff hooked into AD IAS already – wifi access points for one, and the old ASA AnyConnect VPN for another. We even went so far as to create a FreeRadius server to serve as an intermediary between the SRX and AD so we could get better log messages, and that didn’t work either.

So hopefully we can get a refund on the 10 useless VPN licenses and use our old ASA for AnyConnect VPN. I’m not holding my breath though. Fortunately we’ve eliminated the need for VPN for almost everything, the local fileserver is really the only thing left that requires VPN access.

9 Replies to “Juniper SRX cannot use RADIUS authentication for client VPN?”

  1. Just to follow up, we used our old Cisco ASA5510 with AnyConnect and problems have been resolved. Plus 250 AnyConnect licenses cost under $200. I’m very surprised the Juniper SRX won’t do something as simple as (proper) LDAP authentication for VPN.

    1. I agree, but we had a ticket open with JTAC for over 4 weeks and spent several hours on the phone with them. If it’s possible I would hope they’d know about it. To be clear, apparently you can use it for authentication, but you need to maintain a list within the SRX in addition to AD/RADIUS, which defeats the purpose of centralized auth. They said it saved having to maintain the passwords in two places.

  2. I too have that problem. Infancy the srx I
    find is useless for VPN.

    Even the link above as a last point then needs you to add each user manually to the SRX. This means you need to reprogram your firewall each time a new staff member starts. Add to this that the juniper pulse client for the iPhone and iPad will not work with the SRX and you have a very disappointing VPN experience.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: