Juniper 5GT firewall: VPN dialup with LDAP authenticaton

Hi,

Currently, our vpn users have to authenticate first with the juniper with a vpn user created on the juniper. Afther that, they need to authenticate with their win2k3 domain login to open outlook(exchange), shares,...
The client software is netscreen.

Is it possible and safe, to configure the Juniper 5GT with LDAP authentication so that our vpn users immediately can login to the domain with their domain credentials and could access exchange, shares,.... without further logins?

thx

KozznAsked:
Who is Participating?
 
JohnBusiness Consultant (Owner)Commented:
I would say no. Why? Any access point is a possible point of entry (VPN notwithstanding). If that happens, the person with access now has to get to the servers and shares. I do not recommend combining the logins.

What I do for my clients is automate the login to VPN on client-owned machines. So the user connects to VPN automaticallly, and then has to authenticate to the server/shares.

If the laptop is lost (rare), I just disable the VPN. So far my clients have not been compromised, although I readily admiit your VPN authentication approach is even more secure.  ... Thinkpads_User
0
 
KozznAuthor Commented:
Thx for info,

But if I use ldap or radius authentication on the firewall, are these authentication protocols just a way to authenticate the users and that's it? or is their a possibility with these protocols they effective authenticate themself on the domain and gets the domain rights configured in their AD users/computer member account?

thx
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
LDAP auth is just used to get into the VPN. There is no automatic authentication of all actions against the AD; that always happens with the Windows user, which is not changed by logging in via VPN.
0
Live Q & A: Securing Your Wi-Fi for Summer Travel

Traveling this summer? Join us on June 18, 2018 for a live stream to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
KozznAuthor Commented:
So, the only way for automatic authentication of all actions against the AD is to make a vpn pptp connetion to a routing/remote access vpn server on the domain, over port 1723 of the firewall?

0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
No. That is just the same as with IPSec and LDAP authentication. The Windows user still is the local one, it's not the PPTP user.
0
 
KozznAuthor Commented:
Ok,
I thought there was no difference in rights you get,  when you make a remote vpn pptp connection with your domain credentials to a RRas server,
than when you login with your domain user in the domain on a domainpc with you domain credentials?
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Those are completely different. With RRAS (and LDAP auth) you need Dial-in privs. For using the domain, you need domain privs. Both privs can be defined on the same object (user), but one is not depending on the other.
0
 
KozznAuthor Commented:
Thx for info
0
 
JohnBusiness Consultant (Owner)Commented:
Thank you. I was pleased to assist. ... Thinkpads_User
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.