Re: [j-nsp] SRX Dynamic VPN and LDAP (AD).
We have it working, but we still have to add the local user, and it must match case sensitive to the name in AD. We tried everything to get it working without this, then just gave in as there are not that many new users at this company that we did it for. -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Yuriy B. Borysov Sent: 25 August 2015 09:54 To: juniper-nsp@puck.nether.net Subject: [j-nsp] SRX Dynamic VPN and LDAP (AD). Hello! I want to setup Dynamic VPN to work with the Active Directory on my SRX. But in all the manuals specified adding password locally via set access profile Prof_Name client Cust_Name firewall-user password Is it possible to get all the information from AD, and not to create a local user? Thanks! -- WBR, Yuriy B. Borysov YOKO-UANIC | YOKO-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Radius Accounting in Juniper Steel Belted Radius with Cisco IOS devices
Hi Arun, It's been a while since I last touched SBR but for sure you may configure SBR to store accounting records in an external database like SQL. After that making a nice GUI that would allow you to filter or aggregate the data shouldn't be a problem. Regards, Wojciech 2015-08-25 11:51 GMT+02:00 Arun Kumar : > Hi All, > > I am evaluating Juniper SBR as AAA server. Most of the devices in our > network are Cisco. Completed Authentication and Authorization part of SBR > but stuck in Accounting part. > > The requirement is to have GUI in SBR to view 'accounting' logs per device, > but in SBR all the accounting logs are stored in a notepad but date-wise > and not on device-wise. > > a. Would there be an option of providing the accounting logs per device > view in .GUI > b. Use of 3rd party tools to achieve this. > > > thanks in advance > Arun > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] punting base address packets to RE
If I recall correctly, the base address of a subnet was originally used as an alternative broadcast address by some ancient equipment. While it's not a behavior I'd expect to see actively used in modern equipment, seeing it handled as a special case as a receiver doesn't surprise me. Based on this, it looks like it's handled as a directed broadcast: https://www.juniper.net/techpubs/en_US/junose10.3/information-products/topic-collections/swconfig-ip-ipv6/id-25742.html Frank Sweetser fs at wpi.edu| For every problem, there is a solution that Manager of Network Operations | is simple, elegant, and wrong. Worcester Polytechnic Institute | - HL Mencken On 08/25/2015 05:45 AM, Saku Ytti wrote: On (2015-08-24 18:38 +), Michael Hare wrote: Hey, Sorry if this is remedial, but are packets sent to the base address of a directly connected subnet always punted to RE and if so, why? Historic compatibility? I couldn't determine any bucket under the ddos-protection protocol statistics such traffic ends up in, either. I haven't seen any negative side effects of this, only noticing this after I followed up on a high pps drop rate for one of our routing engines. This seems to happen regardless of what I have 'targeted-broadcast' configured with [absent, forward-only]. Terrific question, I don't know, I don't think there is any real reason why those need to be punted. It's probably something people have done in their IP implementation and it has just carried over in fear of changing the behaviour might break something, and almost certainly someone now relies on this behaviour for what ever strange reasons. Pretty sure you'll see them in ddos-protection in what ever protocol the traffic is, ddos-protection would not care about your DADDR, because decision to punt was done before ddos-protection got the frame. For what it's worth, the above is an MX104, but I also see this on other MX MPC hardware. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Radius Accounting in Juniper Steel Belted Radius with Cisco IOS devices
Hi All, I am evaluating Juniper SBR as AAA server. Most of the devices in our network are Cisco. Completed Authentication and Authorization part of SBR but stuck in Accounting part. The requirement is to have GUI in SBR to view 'accounting' logs per device, but in SBR all the accounting logs are stored in a notepad but date-wise and not on device-wise. a. Would there be an option of providing the accounting logs per device view in .GUI b. Use of 3rd party tools to achieve this. thanks in advance Arun ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] punting base address packets to RE
On (2015-08-24 18:38 +), Michael Hare wrote: Hey, > Sorry if this is remedial, but are packets sent to the base address of a > directly connected subnet always punted to RE and if so, why? Historic > compatibility? I couldn't determine any bucket under the ddos-protection > protocol statistics such traffic ends up in, either. I haven't seen any > negative side effects of this, only noticing this after I followed up on a > high pps drop rate for one of our routing engines. This seems to happen > regardless of what I have 'targeted-broadcast' configured with [absent, > forward-only]. Terrific question, I don't know, I don't think there is any real reason why those need to be punted. It's probably something people have done in their IP implementation and it has just carried over in fear of changing the behaviour might break something, and almost certainly someone now relies on this behaviour for what ever strange reasons. Pretty sure you'll see them in ddos-protection in what ever protocol the traffic is, ddos-protection would not care about your DADDR, because decision to punt was done before ddos-protection got the frame. > For what it's worth, the above is an MX104, but I also see this on other MX > MPC hardware. -- ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Dynamic VPN and LDAP (AD).
Have you tried this ? https://kb.juniper.net/InfoCenter/index?page=content&id=KB21978 Wayne On 25 August 2015 at 09:54, Yuriy B. Borysov wrote: > Hello! > > I want to setup Dynamic VPN to work with the Active Directory on my > SRX. But in all the manuals specified adding password locally via > > set access profile Prof_Name client Cust_Name firewall-user password > > Is it possible to get all the information from AD, and not to create a > local user? > > Thanks! > > -- > WBR, Yuriy B. Borysov > YOKO-UANIC | YOKO-RIPE > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX Dynamic VPN and LDAP (AD).
Hello! I want to setup Dynamic VPN to work with the Active Directory on my SRX. But in all the manuals specified adding password locally via set access profile Prof_Name client Cust_Name firewall-user password Is it possible to get all the information from AD, and not to create a local user? Thanks! -- WBR, Yuriy B. Borysov YOKO-UANIC | YOKO-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp