NSD1178 How to set Juniper SSL / VPN remote access... membership from ldap user database

Transcription

NSD1178 How to set Juniper SSL / VPN remote access... membership from ldap user database
NSD1178 How to set Juniper SSL / VPN remote access policies based on the group
membership from ldap user database
Fact
One Time Password Server
Juniper SA SSL/VPN
Situation
Setting Juniper SSL/VPN remote access policies based on the group membership from LDAP User
database with Nordic Edge One Time Password Server
Solution
Step 1. - Installing Nordic Edge plugin RADIUSAttributeGroupMembership
Copy attached file RADIUSAttributeGroupMembership.class in directory <OTPServer>/ext
Copy attached file groupmembership.cfg in directory <OTPServer>
Step 2.- Configuring OTPServer RADIUS Client
Select Radius & Client tab
Highlight Radius Client
Select “Edit Client”
Highlight User Database
Select Options
Select Add Option
Configure Radius Attribute as follows:
Select OK to save attribute value configuration.
Select OK to save Radius attribute configuration.
Step 3. - Configuring group membership filter
Choose user groups from LDAP user database.
As an example groups: VPN-user,VPN-helpdesk,VPN-support,VPN-admins will be used.
Step 3.1 Modify groupmembership.cfg
For Microsoft Active Directory
Modify groupmembership.cfg:
GroupNameTag=Groupname:
Separator=,
GroupsToCheck=VPN-user,VPN-helpdesk,VPN-support,VPN-admins
UserIDAttribute=samaccountname
GroupMemberAttribute=memberOf
For Novell eDirectory
Modify groupmembership.cfg:
GroupNameTag=Groupname:
Separator=,
GroupsToCheck=VPN-user,VPN-helpdesk,VPN-support,VPN-admins
UserIDAttribute=CN
GroupMemberAttribute=groupmembership
4- Configuring Juniper SSL/VPN
Start Juniper Central Manager, select Users / User Roles and create roles matching the GroupsToCheck
list from groupmembership.cfg.
In this example four roles are created:
VPN-User, VPN-Helpdesk, VPN-Support and VPN-Admins
Select Users / Users Realms and open your Realm. In this example the Realm is called “User”.
On the General Page make sure the Directory / Attribute is set to “Same as above”.
Select the page “Role Mapping” and configure the Rule based on “User attribute”
Select “Update”
In this example Role Mapping Rule for Role VPN-User is created as shown below:
Select Attribute Class (25)
Choose “Is” and write group name including GroupNameTag from groupmembership.cfg,
i.e “Groupname:VPN:user”
Assign rule to Role “VPN-User”
Save changes and repeat for all user groups in the GroupsToCheck list from groupmembership.cfg.
When completed, this example's configuration looks like the following:
The Juniper policies are now matching user group membership set in the LDAP user database and
groupmembership.cfg.