I am running a Juniper SA4500 6.5R2
I have an RSA server for authentication and AD (nothing much setup yet)
My ideal solution is to have users in AD groups and when they VPN they get assigned a range of IP's relevant to their AD group membership
Do I have all I need to make this solution happen, I am used to Cisco and getting used to the difference in the Juniper box.
I was experiementing with different urls going to different ip ranges, but would rather have a slicker solution with Radius / AD groups etc.
Any help appreciated.
You want to create Network Connect roles for each range you wish to assign, and then create NC connection profiles and assign them to the roles. The use role mapping at the realm level to assign users to roles based on the AD group to which they belong.
Great thanks I will look into that later - I also need to tie in RSA as well.
One more quesion?
Under Role Mapping how do I specify and AD Group attribute?
If you are using AD as your authorization server you can only map against the group itself, not against any AD attributes. If you switch to LDAP against your AD for authorization you have the ability to use your various AD attributes for role assigment. AD for authorization is fine if all y ou want is groups for mapping - not good for any real granular role mapping definitions. LDAP is much, much better.
If i understand you right, you use
RSA Token Number
Your goal is to use AD Groups to give IPs to the Users according to their membership in one of these AD groups.
I use IAS Radiusserver for Authentication of AD Users.
In RAS Policies of IAS Server you can define easily Windowsgroup as a condition which has to match.
When for example RAS Policy 1 (User must be member of Windows Group "VPN-1") matches, in that RAS Policy under "Profile"... "Advanced" you can define Radius Returning Attribute "Class (25)" with a value like "VPN-1"
Then, on IVE Realm Level, Rolemapping, you can use user attributes (what are in this case the radius returning attributes) to map the user to a IVE Role like "VPN-1 Role".
If User attribute Class (25) has value "VPN-1" then map the user to IVE Role "VPN-1".
And on Resource Policies on IVE...Network Connect... Profiles you can configure mapping of an IP-Network to the IVE User Role "VPN-1".
I think «this is the most stable and even easy to configure and maintain solution for your scenario.