We’ve been trying now literally for weeks to configure our Juniper SRX VPN using RADIUS authentication. We previously had a Cisco ASA 5510 and it worked fine but we moved to an SRX because it was much easier to administer and was about 1/3 the cost. For the most part we’ve been pretty happy with the SRX vs the ASA – common-sense features like saving previous configs for trivial rollback, a web gui that’s way easier to use than ASDM, etc. But this VPN thing is a real fiasco. Basically what we want to do is use the SRX to authenticate against our Active Directory using IAS.
The closest we’ve gotten so far is having the SRX authenticate via RADIUS but apparently we still need to maintain a local user list on the SRX itself, defeating the purpose of central authentication. We were sold 10 VPN licenses with the understanding that this meant we could have up to 10 simultaneous VPN connections open. Apparently that’s true, but we’d have to specify which 10 users can access the VPN, which won’t work for us.
This doesn’t seem like we’re trying to do anything exotic here but according to the vendor and JTAC support, they’re not aware of anyone doing this, and have no idea how to do it. The ticket’s been open with Juniper for over 1 month now. We’re at the point where we just want a refund for the VPN licenses rather than continuing to bang our heads against the wall with this. The vendor originally wanted us to buy an SA VPN appliance in addition to the SRX, but assured us the SRX would do what we needed with the caveat that the JunOS Pulse client for the SRX VPN was kind of crappy.
So after opening tickets in JTAC and the vendor’s support system, the net result apparently is that this is actually not possible. Not only is it not possible but everybody acts like we’re trying to do some strange voodoo. I mean, we have other stuff hooked into AD IAS already – wifi access points for one, and the old ASA AnyConnect VPN for another. We even went so far as to create a FreeRadius server to serve as an intermediary between the SRX and AD so we could get better log messages, and that didn’t work either.
So hopefully we can get a refund on the 10 useless VPN licenses and use our old ASA for AnyConnect VPN. I’m not holding my breath though. Fortunately we’ve eliminated the need for VPN for almost everything, the local fileserver is really the only thing left that requires VPN access.
Evan Hoffman's Blog 
Just to follow up, we used our old Cisco ASA5510 with AnyConnect and problems have been resolved. Plus 250 AnyConnect licenses cost under $200. I’m very surprised the Juniper SRX won’t do something as simple as (proper) LDAP authentication for VPN.
Find that hard to believe, they document the use of Radius with remote access VPNs here
Click to access dynamic-vpn-appnote-junos10.4-v21.pdf
I agree, but we had a ticket open with JTAC for over 4 weeks and spent several hours on the phone with them. If it’s possible I would hope they’d know about it. To be clear, apparently you can use it for authentication, but you need to maintain a list within the SRX in addition to AD/RADIUS, which defeats the purpose of centralized auth. They said it saved having to maintain the passwords in two places.
Gosh Evan. I hope they have fixed this by now. Hunting around myself for information about this I found a interesting writeup about this on http://newnetwork.wikidot.com/ (Juniper SRX), and I really hope this will do the trick. I will surely being giving it a go soon(ish).
I too have that problem. Infancy the srx I
find is useless for VPN.
Even the link above http://newnetwork.wikidot.com/ as a last point then needs you to add each user manually to the SRX. This means you need to reprogram your firewall each time a new staff member starts. Add to this that the juniper pulse client for the iPhone and iPad will not work with the SRX and you have a very disappointing VPN experience.
Agreed. Fortunately we had our old Cisco ASA to fall back on and it worked without problems, exactly as expected.
This exactly describes my problem with the SRX220. Have you guys heard if there is any solution to this yet?
I left that company a while ago unfortunately and no longer use Juniper equipment.
Same problem