Juniper SRX VPN Profile

Similar Messages

• Cisco ACS 5.1 Tacacs with Juniper Srx 210

  Hi all,
  I am trying to do authentication for Juniper SRX 210 FW With Cisco ACS 5.1 Tacacs but I am unable to acheive it ..
  Can any one help me how to add Junos service in ACS 5.1..How to Intergarte Juniper SRX 210 in Cisco ACS 5.1

  Hello Pranav
  As Nicolas said, you really need to know what attributes Juniper SRX is using. It also depends on what you're looking for, for example it's very different "password authentication" from "command authorization". I answered a similar question here https://supportforums.cisco.com/thread/2111466
  You don't need to enable any new service. ACS is capable to attend any TACACS (or RADIUS) device as long as you tell ACS what are the TACACS (or RADIUS) attributes needed for that device.
  This is an example in which I have configured ACS 5.x with an attribute called "local-user-name" which JunOS router use for authentication. For that you need to go to "Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles".
  If you don't know the attributes you can capture the packets and troubleshoot from Juniper cli and from "ACS view" side. That's how I find out the "local-user-name" attribute.
  Please rate if it helps. Kind regards

• ASA and ACS 5 multiple VPN profiles for one user

  Hi there
  I have a question about ACS 5.3 and ASA VPN profile authorization. I am not sure if it is possible to allow one single user for a set of VPN profiles on ASA, let's make an example:
  ACS 5.3 group hierarchy:
  - VPN users global
  -- VPN users A
  -- VPN users B
  ASA VPN profiles:
  - VPN profile A
  - VPN profile B
  - VPN profile Z
  VPN authorizations:
  1. VPN users global should have access to VPN profiles A, B and Z (here we create an authorization profile with no class an no lock attributes, so the group is allowed for all VPN profiles)
  2. VPN users A should have access to VPN profile A (here we create a authorization profile with class and lock attributes for profile A)
  3. VPN users B should have access to VPN profiles B and Z (is this possible and how does the authorization profile have to look like?)
  Thanks a lot in advance and best regards
  Dominic

  Hi Dominic,
  first of all, let's clarify that on the ASA you have tunnel-groups (named connection profiles in ASDM) and group-policies. These often, but not always, have a one-to-one mapping.
  The Tunnel-Group (TG) is either selected by the user (either from a drop down list or by entering a specifiv group-url), or automatically selected by a certificate map (i.e. based on a certain field in the user cert, the user is mapped to one TG or another). The TG mainly specifies what kind of authentication is used.
  The Group-Policy (GP) by default is the one specified in the TG, but it can be overridden by e.g. Radius.
  So from the ASA's standpoint itself your posibilities are rather limited: the ASA will just apply whatever group-policy you push from Radius (in IETF attribute 25 aka "Class"), and in addition it will deny access to a user if the TG he selected does not match the value of the group-lock attribute. Group-lock can only contain one TG name, so you cannot do something like "allow both B and Z".
  In other words you can not achieve your goal if the Radius server has a "static" set of attributes per user.
  However, as of ASA 8.4.3 the ASA now sends 2 vendor-specific attributes in the Access-Request:
  vendor ID = 3076, attribute 146 is "Tunnel Group Name" (string).
  vendor ID = 3076, attribute 150 is "Client Type" (integer)
  0 = No Client specified  1 = Cisco VPN Client (IKEv1)  2 = AnyConnect Client SSL VPN  3 = Clientless SSL VPN  4 = Cut-Through-Proxy  5 = L2TP/IPsec SSL VPN  6 = AnyConnect Client IPsec VPN (IKEv2)
  So if you can configure the Radius server to "dynamically" permit/deny access based on the TG attribute I suppose you could achieve what you want.
  If/how ACS can do this, I personally don't know; I suggest you ask in the AAA forum if you need help with that part.
  hth
  Herbert

• ASA 5510 VPN profiles question

  Hi!
  I wonder if it is possible to let users connect to our firewall with anyconnect ( vpn.customer.se ) and get three profiles from the droplist to chose from. One for economy,development and public.   The three departments are located at different interfaces on the ASA.  If they chose economy the login and get routed to the correct interface and network.
  Cheers

  Hi,
  This should be possible.
  I for example have 2 VPN Profiles/Groups on my home ASA
  Regards to getting the different groups to show in the drop down menu of both the AnyConnect Client and the Web login I have enabled the following settings
  webvpn
  tunnel-group-list enable
  tunnel-group VPN1 webvpn-attributes
  group-alias VPN1 enable
  tunnel-group VPN2 webvpn-attributes
  group-alias VPN2 enable
  Where
  VPN1 and VPN2 are examples of 2 different VPN Client profiles / Tunnel Groups
  VPN1 and VPN2 under the "webvpn-attributes" could be something totally different
  The name configured here will show up in the drop down menu and can be different than the one configured as the name of "tunnel-group"
  Examples screenshots of my browser and client login windows
  Web
  Client
  - Jouni

• AnyConnect 3.1.01065 error - Failed to install AnyConnect VPN Profile because of file move error. A VPN connection cannot be established.

  I've got a user running:
  AnyConnect 3.1.01065
  on
  Windows 7 64bit.
  Several weeks ago she started encountering the following error:
  -after logging into Windows and launching the AnyConnect client, she enters her username and password and successfully authenticates.
  -the connection is not established and she's presented with the following message: "Failed to install AnyConnect VPN Profile because of file move error. A VPN connection cannot be established."
  After doing some troubleshooting, inlcuding uninstalling/reinstalling the anyconnect client, it seems the culprit is the following file:
  C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\<filename>.xml. When the problem occurs (which is not regularly, sometimes it occurs daily, sometimes just once a week) examining that file indicates it has no security or permissions set. Quitting the AnyConnect software, modifying the file so that the user has full control of it, then relaunching AnyConnect fixes the problem (until it happens again). Uninstalling, and making sure to move C:\ProgramData\Cisco to the trash, then reinstalling did not seem to help.
  The closest match in these forums is the following thread, https://supportforums.cisco.com/message/3760446 - though no clear resolution was given.
  Has anyone else encountered this, and been able to fix it?
  Thanks much.

  Just FYI, it seems at least in this case, purging all the previous system restore points seems to have resolved this issue...

• Remove old VPN profiles installed via Config Utility?

  I've got an iPhone 4S running iOS 6. It has two VPN profiles that were created via Configuration Utility profiles. These two VPN profiles are no longer used, but I can't seem to find a way to remove them.
  In Settings -> VPN, if you tap the blue arrow next to the profiles themselves, the only option available is the "Connec On Demand" On/Off switch. There is no "Delete VPN" button.
  In Settings -> General -> Profiles, nothing is listed for me to remove.
  How can I delete these two unused profiles?

  Having same problems.
  There is no such setting as "Profile" in General, but the old profile is invisible. The Cisco AnyConnect app says there is no profile either.
  This "invisible" profile was installed on my old 3GS in order to block data transfer using 3G etc. Since the new iOS updates and then iPhone 5 update the option "Profile" in setting has dissapeared.
  But it's still somewhere and it's still blocking my data connection. It's weird. I don't know how to get rid of it.

• Cisco APs get disconnected from cisco WLC after 30 min when connected on Juniper SRX

  Hi,
  I am connecting all my Cisco 1131AG APs via Juniper SRX 240 box and Cisco WLC is placed in the LAN.
  We are running LWAPP in layer 3 mode. The APs get dissassociated form the WLC after 30 min.
  The Setup is like :-
  AP->AccessSwitch-->JuniperSRX(reth2.0)-->JuniperSRX(reth1.0)-->CoreSwitch-->CiscoWLC
  could anyone please help me to resolve this issue.

  Firmware for WLC is AIR-WLC4400-K9-4-2-99-0
  Firmware for AP is 12.4(10b)JA1
  The logs form WLC during disconnection :-
  Mon Sep 6 20:05:52 2010 AP Disassociated. Base Radio MAC:00:1f:ca:2d:4e:a0
  1 Mon Sep 6 20:05:52 2010 AP's Interface:0(802.11b) Operation State Down: Base Radio MAC:00:1f:ca:2d:4e:a0 Cause=Heartbeat Timeout
  2 Mon Sep 6 20:05:51 2010 AP Disassociated. Base Radio MAC:00:1f:9e:c1:0d:30
  3 Mon Sep 6 20:05:51 2010 AP's Interface:0(802.11b) Operation State Down: Base Radio MAC:00:1f:9e:c1:0d:30 Cause=Heartbeat Timeout

• Default VPN profile (multiple profiles)

  Hi,
  We have 2 VPN profiles on AnyConnect 3.1
  It seems that AnyConnect keep last used profile as default profile (after reboot for example)
  Is it possible to set a default VPN profile and keep it even if user connects to the other? 
  (because the default VPN profile is transparent connection for user)
  Thanks for your help,
  Patrick

  I've done a similar deployment where all authentication/authorization and accounting was pointed from ASA to ACS.
  There are multiple layers to your question. 
  First of all, you have ACS, hopefully 5.x which gives you a nice policy driven authentication and authorization schema. 
  1st layer - setup group-alias and group-urls for specific users on ASA. 
  2nd layer - on ACS decides where those connection should be authenticated/authorized against (go to AD, RSA, local DB). ASA passess tunnel group name in authentication calls to ACS. 
  3rd layer - group-lock feature ensures that user can only have access to resources if they are in a specific group. 

• Can't delete VPN profiles

  I can't delete any VPN profile from my original ipad. I go to Settings> General>Networks>VPN, but there is no red Delete button at the bottom of the configuration window. A hard restart makes no difference. I'm running a fully updated original iPad. TIA for suggestions.

  I had the same problem with a VPN app that installed 50+ VPN configs. It seemed that the configs were registered but not the VPN profile such that the removal of the configs is virtually impossible.
  I tried the followings with no success:
  - overwrite the VPN configs
  - reset Network Settings
  - reset All Settings
  - factory reset with backup restore (factory reset with no backup restore it does work but it was not a solution for me)
  Finally, I found a simple (not elegant) solution to get rid of the VPN configs:
  http://www.ibvpn.com/billing/knowledgebase/113/iOS-bug-fix.html
  Enjoy!

• Cannot download BT VPN profile for IOS

  Hi there,
  I'm just posting to ask whether anybody else is experiencing the same problem as me and whether anybody has found any alternatives to getting around this problem, basically when I click on the link https://my.btopenzone.com/vpn/apple/iOS/BT_Wi-Fi_VPN_Profile.mobileconfig for the IOS BT VPN profile using Safari on my iPhone, it doesn't download and times out with saying "Safari cannot open the page because it could not connect to the server." when connected to our internal network and keeps on looping back to the session page when connected to a BT WiFi public network with and without FON i.e. after you have entered your login details into the BT Openzone login page. Can the VPN profile settings be entered manually? If so please could you send me them, I've got an iPhone 4 with IOS 6.1.3.
  Thanks,
  Paul 
  Solved!
  Go to Solution.

  Hi rajinderpauluck,
  I think you need to connect to a BTWifi or BTWifi with Fon hotspot with the device you want to install the VPN software onto.
  However you don't login and go straight to https://my.btopenzone.com/vpn/apple/iOS/BT_Wi-Fi_VPN_Profile.mobileconfig
  If you login I think it will keep directing you to the "You're now connected" page
  Hope that helps,
  Cheers
  jac_95 | BT.com Help Site | BT Service Status
  Someone Solved Your Question?
  Please let other members know by clicking on ’Mark as Accepted Solution’
  Try a Search
  See if someone in the community had the same problem and how they got it resolved.

• 2 interfaces 1 vpn profile

  Here is the problem:
  Users have 1 VPN profile, but need to be able to establish VPN connections on two different interfaces of an ASA (depending on whether they are internal or external at the time).
  The profile points to vpn.corp.com.
  Does anyone have a good solution to this problem?
  The obvious one is to have a DNS server return two different IP's for vpn.corp.com depending on which interface the user is on.
  Thanks in advance for replies.

  Here is the solution to the problem.
  So if you want to be able to use 1 profile in the Cisco IPsec client, or to use one standard URL to establish SSL VPN connections, REGARDLESS of the ASA interface involved, here is what you do:
  A service policy can be setup to rewrite DNS replies. So depending on what interface the client is using, the ASA will rewrite a dns reply to point to the corresponding interface on the firewall.
  I used the alias command to do it.

• Vpn profile connection

  i have some vpn profiles. out of which one profile was updated and changed to something different address. now there are some user who have not updated there vpn profile utility. Due to this some user have good connection using the old profile but some users face difficulty in connecting so i want to know want could be the reason that some user are fine but some users are facing this problem. One more thing the users who are updated they do not have any issues then.
  Please explain what could be possible reason for this

  hi
  even if i try that it did not work. i will explain little bit more. I connect to my company with one of the profile(x.x.com) and access some resources. The profile through which i connect was changed to different address(from x.x.com to y.y.com) or DNS you can say. So now if i connect through the old profile(x..x.com i cannot access the resources. but my colleagues are able to access the resources when they are connect thr x.x.com but i have to connect thr y.y.com then only i can access resources. Is it possible that you can explain why it is happening

• E71 - VPN - Cisco VPN Profile

  I got a Nokia E71 recently, I was able to successfully setup mail and the device is good.
  Now, I am trying to setup the VPN in the device to connect to my organizations network. I need helping setting the VPN.
  My organization uses Cisco VPN; I have installed the Cisco VPN client in my laptop and I can locate the VPN profile files [.pcf].  The pcf file is of the format given in the link : https://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client46/linux_solaris/use...
  I have installed  the Nokia Configuration Tool and the "Nokia Mobile VPN Client Policy Tool".
  I have read bunch of pdf files about to 'how to setup', but I could not get the exact steps regarding this.
  Can someone please give me exact steps what I should follow to setup VPN in E71 using the VPN profile file?
  Appreciate your time and help.
  Thanks & Regards, Raja

  HI
  Apologies I don't have answer but I am trying to achieve something similar and thought as the topics were so close...... I was looking at leveraging the Nokia VPN IPSEC, but it appears to me that going down a SSL-VPN solution would be easier for my Company.
  Does anyone know if the E71 can support an SSL-VPN or will I have to do the IPSEC. 
  Thanks

• Vpn profile missing

  we have some vpn profiles. sometimes it happens that host name entries goes missing. If it is possible can you explain why it happens

  We are running a mix of v4.8 and v 5 and getting this exact issue. The host info is lost, the connection remains, and is completely random. Replacing the pcf works. We have 3 connections that we use. The only consistant thing is that this is happening to one connection only.
  Also this is happening all over its just that is so weird hardly anyone reports it. see here:
  http://www.tek-tips.com/viewthread.cfm?qid=1450535&page=1

• VPN Profile - specify port?

  Does anyone know of a way to add a port number to the Server Address when setting up a VPN Profile on BB10? Or suggest a workaround?
  example: 100.100.100.100:5000 or gw1.mycompany.com:5000
  Am using a VPN connection to a Generic IKEv2 Server which works without problem at present.  If I hadd a port number as the examples above to the server address in the VPN Profile I get a Connection error / DNS failure on trying to connect.

  Just to clarify, the need to change the VPN port will be due to restrictions in a firewall.