It's been a long time since I've played with this, but it's not something simple like:
set access-profile TPAD is it? The Junos doco doesn't mention it, but for some applications you need to specifically activate the access-profile. On 18 Mar 2014, at 8:54 pm, Шепелев Андрей <[email protected]> wrote: > Hi All ! > > I`m trying to made a web portal auth with LDAP integration on SRX 100. > > Here is the config: > > ## Last changed: 2014-03-11 05:44:05 UTC > version 11.2R4.3; > system { > host-name test-srx100.adm.n.tp.ru; > root-authentication { > encrypted-password "$1$yo2A3wox$K/.Epl658XW1r4Z9BgDWm0"; ## > SECRET-DATA > } > name-server { > 10.60.0.5; > 8.8.8.8; > } > services { > ssh; > telnet; > xnm-clear-text; > web-management { > http; > } > } > syslog { > archive size 100k files 3; > user * { > any emergency; > } > file messages { > any critical; > authorization info; > } > file interactive-commands { > interactive-commands error; > } > } > max-configurations-on-flash 5; > max-configuration-rollbacks 5; > license { > autoupdate { > url https://ae1.juniper.net/junos/key_retrieval; > } > } > processes { > general-authentication-service { > traceoptions { > file auth-debug; > flag all; > } > } > } > } > interfaces { > fe-0/0/0 { > unit 0; > } > fe-0/0/1 { > vlan-tagging; > unit 101 { > description Users; > vlan-id 101; > family inet { > address 10.60.0.200/24; > } > } > unit 105 { > description Management; > vlan-id 105; > family inet { > address 172.20.0.200/24; > } > } > } > fe-0/0/2 { > unit 0; > } > fe-0/0/3 { > unit 0; > } > fe-0/0/4 { > unit 0; > } > fe-0/0/5 { > unit 0; > } > fe-0/0/6 { > unit 0; > } > fe-0/0/7 { > unit 0 { > description ISP1; > family inet { > address 46.250.34.22/24; > } > } > } > vlan { > unit 0; > } > } > routing-options { > static { > route 0.0.0.0/0 next-hop 46.250.34.1; > route 10.60.0.0/21 next-hop 10.60.0.1; > route 172.20.0.0/24 next-hop 172.20.0.1; > } > } > protocols { > stp; > } > security { > screen { > ids-option untrust-screen { > icmp { > ping-death; > } > ip { > source-route-option; > tear-drop; > } > tcp { > syn-flood { > alarm-threshold 1024; > attack-threshold 200; > source-threshold 1024; > destination-threshold 2048; > timeout 20; > } > land; > } > } > } > nat { > source { > rule-set trust-to-untrust { > from zone trust; > to zone untrust; > rule source-nat-rule { > match { > source-address 0.0.0.0/0; > } > then { > source-nat { > interface; > } > } > } > } > } > } > policies { > from-zone trust to-zone untrust { > policy trust-to-untrust { > match { > source-address any; > destination-address any; > application any; > } > then { > permit { > firewall-authentication { > pass-through { > access-profile TPAD; > web-redirect; > } > } > } > } > } > } > } > zones { > security-zone trust { > host-inbound-traffic { > system-services { > all; > } > protocols { > all; > } > } > interfaces { > fe-0/0/1.101; > fe-0/0/1.105; > } > } > security-zone untrust { > screen untrust-screen; > host-inbound-traffic { > system-services { > all; > } > protocols { > all; > } > } > interfaces { > fe-0/0/0.0 { > host-inbound-traffic { > system-services { > dhcp; > tftp; > } > } > } > fe-0/0/7.0; > } > } > } > } > access { > profile TPAD { > authentication-order ldap; > ldap-options { > base-distinguished-name dc=tp,dc=ru; > search { > search-filter sAMAccountName=; > admin-search { > distinguished-name cn=junos,ou=users,dc=tp,dc=ru; > password "$9$NOdY4jHmfQFDjApuOREwY2oDi"; ## SECRET-DATA > } > } > } > ldap-server { > 10.60.0.5; > } > } > firewall-authentication { > pass-through { > default-profile TPAD; > } > web-authentication { > default-profile TPAD; > } > } > } > vlans { > vlan-trust { > vlan-id 3; > } > } > > > and thus far i only managed to made web portal show me the web page. But > all my tries to made LDAP work failed. It always said: incorrect password, > also if i use monitor trafic command, i saw only uskess packets and no > packets addressed to the LDAP server. > Any traceoptions find no clue, it looks like srx don`t want to try to send > requests to LDAP. > > Any clues? > > thx > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
