Juniper 5GT firewall: VPN dialup with LDAP authenticaton

Hi,

Currently, our vpn users have to authenticate first with the juniper with a vpn user created on the juniper. Afther that, they need to authenticate with their win2k3 domain login to open outlook(exchange), shares,...
The client software is netscreen.

Is it possible and safe, to configure the Juniper 5GT with LDAP authentication so that our vpn users immediately can login to the domain with their domain credentials and could access exchange, shares,.... without further logins?

thx

KozznAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
I would say no. Why? Any access point is a possible point of entry (VPN notwithstanding). If that happens, the person with access now has to get to the servers and shares. I do not recommend combining the logins.

What I do for my clients is automate the login to VPN on client-owned machines. So the user connects to VPN automaticallly, and then has to authenticate to the server/shares.

If the laptop is lost (rare), I just disable the VPN. So far my clients have not been compromised, although I readily admiit your VPN authentication approach is even more secure.  ... Thinkpads_User
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
KozznAuthor Commented:
Thx for info,

But if I use ldap or radius authentication on the firewall, are these authentication protocols just a way to authenticate the users and that's it? or is their a possibility with these protocols they effective authenticate themself on the domain and gets the domain rights configured in their AD users/computer member account?

thx
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
LDAP auth is just used to get into the VPN. There is no automatic authentication of all actions against the AD; that always happens with the Windows user, which is not changed by logging in via VPN.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

KozznAuthor Commented:
So, the only way for automatic authentication of all actions against the AD is to make a vpn pptp connetion to a routing/remote access vpn server on the domain, over port 1723 of the firewall?

0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
No. That is just the same as with IPSec and LDAP authentication. The Windows user still is the local one, it's not the PPTP user.
0
KozznAuthor Commented:
Ok,
I thought there was no difference in rights you get,  when you make a remote vpn pptp connection with your domain credentials to a RRas server,
than when you login with your domain user in the domain on a domainpc with you domain credentials?
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Those are completely different. With RRAS (and LDAP auth) you need Dial-in privs. For using the domain, you need domain privs. Both privs can be defined on the same object (user), but one is not depending on the other.
0
KozznAuthor Commented:
Thx for info
0
JohnBusiness Consultant (Owner)Commented:
Thank you. I was pleased to assist. ... Thinkpads_User
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.