Hi All ! I`m trying to made a web portal auth with LDAP integration on SRX 100.
Here is the config: ## Last changed: 2014-03-11 05:44:05 UTC version 11.2R4.3; system { host-name test-srx100.adm.n.tp.ru; root-authentication { encrypted-password "$1$yo2A3wox$K/.Epl658XW1r4Z9BgDWm0"; ## SECRET-DATA } name-server { 10.60.0.5; 8.8.8.8; } services { ssh; telnet; xnm-clear-text; web-management { http; } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } processes { general-authentication-service { traceoptions { file auth-debug; flag all; } } } } interfaces { fe-0/0/0 { unit 0; } fe-0/0/1 { vlan-tagging; unit 101 { description Users; vlan-id 101; family inet { address 10.60.0.200/24; } } unit 105 { description Management; vlan-id 105; family inet { address 172.20.0.200/24; } } } fe-0/0/2 { unit 0; } fe-0/0/3 { unit 0; } fe-0/0/4 { unit 0; } fe-0/0/5 { unit 0; } fe-0/0/6 { unit 0; } fe-0/0/7 { unit 0 { description ISP1; family inet { address 46.250.34.22/24; } } } vlan { unit 0; } } routing-options { static { route 0.0.0.0/0 next-hop 46.250.34.1; route 10.60.0.0/21 next-hop 10.60.0.1; route 172.20.0.0/24 next-hop 172.20.0.1; } } protocols { stp; } security { screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit { firewall-authentication { pass-through { access-profile TPAD; web-redirect; } } } } } } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/1.101; fe-0/0/1.105; } } security-zone untrust { screen untrust-screen; host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/0.0 { host-inbound-traffic { system-services { dhcp; tftp; } } } fe-0/0/7.0; } } } } access { profile TPAD { authentication-order ldap; ldap-options { base-distinguished-name dc=tp,dc=ru; search { search-filter sAMAccountName=; admin-search { distinguished-name cn=junos,ou=users,dc=tp,dc=ru; password "$9$NOdY4jHmfQFDjApuOREwY2oDi"; ## SECRET-DATA } } } ldap-server { 10.60.0.5; } } firewall-authentication { pass-through { default-profile TPAD; } web-authentication { default-profile TPAD; } } } vlans { vlan-trust { vlan-id 3; } } and thus far i only managed to made web portal show me the web page. But all my tries to made LDAP work failed. It always said: incorrect password, also if i use monitor trafic command, i saw only uskess packets and no packets addressed to the LDAP server. Any traceoptions find no clue, it looks like srx don`t want to try to send requests to LDAP. Any clues? thx _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp