{"id":331,"date":"2007-11-11T02:31:39","date_gmt":"2007-11-11T00:31:39","guid":{"rendered":"http:\/\/www.corelan.be:8800\/index.php\/2007\/11\/11\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\/"},"modified":"2007-11-11T02:31:39","modified_gmt":"2007-11-11T00:31:39","slug":"using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2007\/11\/11\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\/","title":{"rendered":"Using Active Directory and IAS based Radius for Netscreen WebAuth authentication"},"content":{"rendered":"<div class=\"ExternalClass452A2178C5A9443ABB01A8F4BAB7E756\">\n<p>As most of the bigger players in the firewall market, Juniper\/Netscreen SreenOS based firewalls allow you to use\/enforce\/require authentication for various reasons :<\/p>\n<ul>\n<li>Admin login<\/li>\n<li>Client VPN<\/li>\n<li>Authentication to open a specific rule on the firewall<\/li>\n<\/ul>\n<p>In a default configuration, ScreenOS uses a local user account database for all types of authentication listed above. In some real life environments, it's not uncommon to see that administrators would want to use their existing Active Directory infrastructure as a back-end authentication database, and use additional features such as Active Directory group membership to be more specific in terms of allowing access. ScreenOS offers 2 ways of accomplishing this : using ldap or using radius. In fact, if external authentication is allowed on appliances, in most cases, this happens thru ldap and\/or radius. But not all implementations are the same and\/or will offer similar functionality. For example : Nortel Contivity ldap allows you to specify an Active Directory bind account. This allows the device to read AD, read object attributes, and use those attributes to assign fixed IP addresses and so on. Despite the fact that using ldap to query group membership may seem trivial, in a lot of appliances, this simple feature is not available or does not work very well. When it comes down to Netscreen, I have found that using ldap is not the way to go. You can use ldap for authentication, but you won't be able to implement granularity in terms of AD groups, and set specific policies combined with AD group membership . However, Radius will do just fine, and the nice thing is : you can easily turn your Windows DC into a Radius server.<\/p>\n<p>Before explaining how you can set this up, let's define what we want to accomplish :<\/p>\n<ol>\n<li>Allow end-users to activate a firewall policy by authenticating to the netscreen firewall, using their AD username and password<\/li>\n<li>Allow administrators to specify who can authenticate to the firewall<\/li>\n<li>Allow administrators to create firewall policies and assign a certain AD group or certain AD groups to those policies, so only members of that group will be able to activate that specific rule (or set of rules)<\/li>\n<\/ol>\n<p>One more note before getting started : Juniper supports different Account types : Admin, Auth, XAuth, L2TP and 802.1x. Each of those types have specific features, so it is important to understand their use and limitations :<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive110.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"186\" alt=\"111107_1019_UsingActive1\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive1-thumb1.png\" width=\"560\"><\/a><\/p>\n<p>Since we want to use User Groups, we'll need to use either local users or Radius. How will the Juniper know which AD Group was used ? We'll tell the Radius server to pass back the name of the group to the Juniper firewall, and we'll define an \"external group\" on the Juniper with exactly the same name. That External Group can be used in your policy, and Radius will take care of authentication.<\/p>\n<p>The following configuration guide will be based on the following configuration :<\/p>\n<ol>\n<li>The management IP address on the LAN interface of the Juniper firewall is 1.1.1.2. The LAN interface of the firewall is 1.1.1.1<\/li>\n<li>We'll enable Web Authentication on ethernet0\/0 (LAN), on virtual IP 1.1.1.3, using SSL<\/li>\n<li>The shared secret between the Firewall and the Radius server is <span style=\"font-family: courier new\"><span style=\"font-size: 9pt\">ThisIsATest<\/span> <\/span>(This is a really bad shared secret. You should choose a longer and more complex shared secret in real life. Use at least 16 characters !)<\/li>\n<li>The Active Directory IAS server runs on 1.1.1.10<\/li>\n<li>The Active Directory Group that will be used is called \"Remote Access Users\". My domain is called \"CORELAN\", so the group in IAS will be \"CORELAN\\Remote Access Users\"<\/li>\n<li>\n<div>Put your AD users in the AD group<\/div>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive2.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"192\" alt=\"111107_1019_UsingActive2\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive2-thumb.png\" width=\"433\"><\/a><\/p>\n<p>&nbsp;<\/li>\n<\/ol>\n<h4>First, install IAS on a Windows Server :<\/h4>\n<p>Click on <strong>Start<\/strong>, go to <strong>Settings<\/strong> and open <strong>Control Panel<br \/>\n<\/strong>Open <strong>Add or Remove Programs<\/strong><br \/>\nClick <strong>Add\/Remove Windows Components<\/strong><br \/>\nSelect <strong>Networking Services<\/strong> and click <strong>Details<br \/>\n<\/strong>Enable <strong>Internet Authentication Service<br \/>\n<\/strong>Click <strong>OK<\/strong> and then <strong>Next<\/strong> to install IAS<\/p>\n<h4>Next, configure IAS to work with Netscreen<\/h4>\n<p>Click <strong>Start<\/strong>, go to <strong>Programs<\/strong>, <strong>Administrative Tools<\/strong> and click <strong>Internet Authentication Service<\/strong><br \/>\nThis will launch the IAS MMC :<br \/>\n<a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive3.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"184\" alt=\"111107_1019_UsingActive3\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive3-thumb.png\" width=\"282\"><\/a><br \/>\nFirst, we need to set the Radius Authentication and Radius Accounting ports to the same ports that will be used by the Netscreen device. Right click on \"<strong>Internet Authentication Server (Local)<\/strong>\" and choose <strong>Properties<\/strong><br \/>\nSet a Server description in the \"<strong>General<\/strong>\" section.<br \/>\nOpen the \"<strong>Ports<\/strong>\" tabsheet<br \/>\n<a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive4.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"112\" alt=\"111107_1019_UsingActive4\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive4-thumb.png\" width=\"293\"><\/a><br \/>\nRemove 1812 from Authentication and 1813 from Accounting. You should only have port 1645 and 1646 configured :<br \/>\n<a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive5.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"108\" alt=\"111107_1019_UsingActive5\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive5-thumb.png\" width=\"300\"><\/a><br \/>\nClick <strong>\"OK\"<\/strong> to save the changes<br \/>\nClick <strong>\"OK\"<\/strong> to accept restarting the service<br \/>\n<a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive6.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"77\" alt=\"111107_1019_UsingActive6\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive6-thumb.png\" width=\"311\"><\/a><\/p>\n<h4>Define a Radius client<\/h4>\n<p>Right click on <strong>RADIUS Clients<\/strong> and choose \"<strong>New RADIUS Client<\/strong>\"<br \/>\n<a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive7.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"213\" alt=\"111107_1019_UsingActive7\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive7-thumb.png\" width=\"322\"><\/a><\/p>\n<p>Set a friendly name and fill out the IP address that will be used to connect from the Juniper to the Radius server. In my example, this will be the management IP address on the LAN side, but you can use a sniffer on the IAS server to find out which IP address will be used.<br \/>\n<a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive8.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"160\" alt=\"111107_1019_UsingActive8\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive8-thumb.png\" width=\"337\"><\/a><br \/>\nClick <strong>Next<\/strong> to continue<\/p>\n<p>Select \"RADIUS Standard\" as Client-Vendor, and set the Shared Secret<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive9.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"187\" alt=\"111107_1019_UsingActive9\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive9-thumb.png\" width=\"350\"><\/a><br \/>\nClick <strong>Finish<\/strong> to complete the creation of a Radius Client<\/p>\n<h4>Clean up default IAS policies<\/h4>\n<p>Before creating a new Remote Access Policy on the IAS server, we'll clean up some of the default settings.<br \/>\nOpen \"Remote Access Policies\" and remove all existing (default) policies.<br \/>\nNote : do <strong>not<\/strong> remove the default \"Use Windows authentication for all users\" under \"Connection Request Processing \u2013 Connection Request Policies\" !<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive10.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"152\" alt=\"111107_1019_UsingActive10\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive10-thumb.png\" width=\"361\"><\/a><\/p>\n<p>&nbsp;<\/p>\n<h4>Create a new IAS Remote Access Policy<\/h4>\n<p>Right Click \"Remote Access Policies\" and choose \"New Remote Access Policy\"<br \/>\n<a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive11.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"245\" alt=\"111107_1019_UsingActive11\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive11-thumb.png\" width=\"257\"><\/a><br \/>\nClick \"<strong>Next<\/strong>\" at the welcome screen<br \/>\nSelect \"<strong>Set up a custom policy<\/strong>\" and provide a detailed description :<br \/>\n<a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive12.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"242\" alt=\"111107_1019_UsingActive12\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive12-thumb.png\" width=\"379\"><\/a><br \/>\nClick <strong>next<\/strong> to continue.<br \/>\nIn the Policy Conditions window, click \"<strong>Add<\/strong>\"<br \/>\nSelect \"<strong>Windows-Groups<\/strong>\" and click \"<strong>Add<\/strong>\"<br \/>\n<a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive13.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"309\" alt=\"111107_1019_UsingActive13\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive13-thumb.png\" width=\"373\"><\/a><\/p>\n<p>Click \"<strong>Add<\/strong>\" to add your Active Directory domain group. This will ensure that authentication will only be allowed for members of that group.<br \/>\n<em>Note : If you specify multiple groups, then users need to be part of ALL of those groups before a successful authentication will occur, so pay attention to this when you set up your Radius policies. (So you'll need multiple policies if you want to allow Radius authentication for multiple groups that are not linked to each other)<br \/>\n<\/em>Select the AD Group<br \/>\n<a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive14.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"289\" alt=\"111107_1019_UsingActive14\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive14-thumb.png\" width=\"388\"><\/a><br \/>\nClick <strong>OK<\/strong> to go back to the Policy Conditions window.<br \/>\n<a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive15.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"191\" alt=\"111107_1019_UsingActive15\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive15-thumb.png\" width=\"403\"><\/a><br \/>\nClick <strong>Next<\/strong> to continue.<br \/>\nSelect \"Grant Remote access permissions\" and click \"Next\" to continue<br \/>\n<a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive16.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"149\" alt=\"111107_1019_UsingActive16\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive16-thumb.png\" width=\"421\"><\/a><br \/>\nWe'll make the necessary changes to the profile in just a while, so click <strong>Next<\/strong> to continue at the \"Profile\" window<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive17.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"183\" alt=\"111107_1019_UsingActive17\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive17-thumb.png\" width=\"392\"><\/a><\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive18.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"331\" alt=\"111107_1019_UsingActive18\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive18-thumb.png\" width=\"383\"><\/a><br \/>\nClick <strong>Finish<\/strong> to complete the creation of the first part of the policy<\/p>\n<h4>Edit the IAS Remote Access Policy to support Netscreen and pass back the name of the AD Group to the Juniper firewall<\/h4>\n<p>Select the newly create RAS policy, right click and choose <strong>properties<\/strong><br \/>\nClick <strong>Edit Profile<\/strong><br \/>\nGo to the <strong>Authentication tab<\/strong> and make sure only CHAP, PAP\/SPAP are selected :<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive19.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"258\" alt=\"111107_1019_UsingActive19\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive19-thumb.png\" width=\"347\"><\/a><\/p>\n<p>Go to the <strong>Encryption tab<\/strong> and make sure \"<strong>No Encryption<\/strong>\" is enabled<\/p>\n<p>Go to the <strong>Advanced tab<\/strong> and remove the default Attributes Service-Type and Framed-Protocol<br \/>\n<a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive20.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"199\" alt=\"111107_1019_UsingActive20\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive20-thumb.png\" width=\"379\"><\/a><br \/>\nClick \"<strong>Add<\/strong>\" to add a new attribute<br \/>\nSelect \"<strong>Vendor-Specific<\/strong>\" and click <strong>Add<\/strong><br \/>\n<a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive21.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"239\" alt=\"111107_1019_UsingActive21\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive21-thumb.png\" width=\"397\"><\/a><\/p>\n<p>In the <strong>Multivalued Attribute Information<\/strong> window, click \"Add\" to add a new attribute<br \/>\n<a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive22.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"264\" alt=\"111107_1019_UsingActive22\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive22-thumb.png\" width=\"358\"><\/a><\/p>\n<p>Set Vendor Code to <strong>3224<\/strong> and select \"<strong>Yes. It conforms.<\/strong>\"<br \/>\n<a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive23.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"316\" alt=\"111107_1019_UsingActive23\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive23-thumb.png\" width=\"376\"><\/a><br \/>\nClick \"<strong>Configure Attribute<\/strong>\"<\/p>\n<p>Set the <strong>Vendor-asasigned attribute number<\/strong> to <strong>3<\/strong>. Attribute format is <strong>string<\/strong>. Under <strong>Attribute value<\/strong>, type the name of the group that you want to pass back to the Juniper firewall upon successful authentication. Pay attention to the exact writing of this name, because we'll need to use the same string on the Juniper firewall later on. (Case Sensitive). Note : this string does not need to match the name of the AD group, but whatever you specify here will need to match the name of the group that we'll use on the Juniper (see below)<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive24.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"273\" alt=\"111107_1019_UsingActive24\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive24-thumb.png\" width=\"394\"><\/a><br \/>\nClick <strong>OK<\/strong> to save this new attribute<br \/>\nYou can add more attributes, depending on your need. Juniper supports the following vendor-assigned attributes that can be passed back from a Radius server to a Netscreen device :<\/p>\n<div>\n<table style=\"border-collapse: collapse\" border=\"0\">\n<colgroup>\n<col style=\"width: 37px\">\n<col style=\"width: 142px\">\n<col style=\"width: 85px\">\n<col style=\"width: 372px\"><\/colgroup>\n<tbody valign=\"top\">\n<tr style=\"background: #4f81bd\">\n<td style=\"border-right: medium none; padding-right: 7px; border-top: #7ba0cd 1pt solid; padding-left: 7px; border-left: #7ba0cd 1pt solid; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt; color: white\"><strong>VSA<\/strong><\/span><\/td>\n<td style=\"border-right: medium none; padding-right: 7px; border-top: #7ba0cd 1pt solid; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt; color: white\"><strong>Netscreen VSA<\/strong><\/span><\/td>\n<td style=\"border-right: medium none; padding-right: 7px; border-top: #7ba0cd 1pt solid; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt; color: white\"><strong>VSA Type<\/strong><\/span><\/td>\n<td style=\"border-right: #7ba0cd 1pt solid; padding-right: 7px; border-top: #7ba0cd 1pt solid; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt; color: white\"><strong>Description<\/strong><\/span><\/td>\n<\/tr>\n<tr style=\"background: #d3dfee\">\n<td style=\"border-right: medium none; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: #7ba0cd 1pt solid; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\"><strong>1<\/strong><\/span><\/td>\n<td style=\"border-right: medium none; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\">NS-Admin-Privilege<\/span><\/td>\n<td style=\"border-right: medium none; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\">Integer<\/span><\/td>\n<td style=\"border-right: #7ba0cd 1pt solid; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\">Device Admin Access Rights<br \/>\n1 = Root Admin Admin<br \/>\n2 = All VSYS Root Admin<br \/>\n3 = VSYS Admin Admin (Requires VSA#2 VSYS Name)<br \/>\n4 = Read-Only Admin<br \/>\n5 = Read-Only VSYS Admin (Requires VSA#2 VSYS Name)<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"border-right: medium none; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: #7ba0cd 1pt solid; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\"><strong>2<\/strong><\/span><\/td>\n<td style=\"border-right: medium none; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\">NS-VSYS-Name<\/span><\/td>\n<td style=\"border-right: medium none; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\">String<\/span><\/td>\n<td style=\"border-right: #7ba0cd 1pt solid; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\">Name of VSYS, used for Admin Privileges<\/span><\/td>\n<\/tr>\n<tr style=\"background: #d3dfee\">\n<td style=\"border-right: medium none; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: #7ba0cd 1pt solid; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\"><strong>3<\/strong><\/span><\/td>\n<td style=\"border-right: medium none; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\">NS-User-Group<\/span><\/td>\n<td style=\"border-right: medium none; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\">String<\/span><\/td>\n<td style=\"border-right: #7ba0cd 1pt solid; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\">Name of the group, needs to match External Group definition name<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"border-right: medium none; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: #7ba0cd 1pt solid; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\"><strong>4<\/strong><\/span><\/td>\n<td style=\"border-right: medium none; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\">NS-Primary-DNS<\/span><\/td>\n<td style=\"border-right: medium none; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\">IP Address<\/span><\/td>\n<td style=\"border-right: #7ba0cd 1pt solid; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\">Assign Primary DNS, Used with XAuth \/ L2TP<\/span><\/td>\n<\/tr>\n<tr style=\"background: #d3dfee\">\n<td style=\"border-right: medium none; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: #7ba0cd 1pt solid; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\"><strong>5<\/strong><\/span><\/td>\n<td style=\"border-right: medium none; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\">NS-Secondary-DNS<\/span><\/td>\n<td style=\"border-right: medium none; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\">IP Address<\/span><\/td>\n<td style=\"border-right: #7ba0cd 1pt solid; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\">Assign Secondary DNS, Used with XAuth \/ L2TP<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"border-right: medium none; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: #7ba0cd 1pt solid; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\"><strong>6<\/strong><\/span><\/td>\n<td style=\"border-right: medium none; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\">NS-Primary-WINS<\/span><\/td>\n<td style=\"border-right: medium none; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\">IP Address<\/span><\/td>\n<td style=\"border-right: #7ba0cd 1pt solid; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\">Assign Primary WINS, Used with XAuth \/ L2TP<\/span><\/td>\n<\/tr>\n<tr style=\"background: #d3dfee\">\n<td style=\"border-right: medium none; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: #7ba0cd 1pt solid; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\"><strong>7<\/strong><\/span><\/td>\n<td style=\"border-right: medium none; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\">NS-Secondary-WINS<\/span><\/td>\n<td style=\"border-right: medium none; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\">IP Address<\/span><\/td>\n<td style=\"border-right: #7ba0cd 1pt solid; padding-right: 7px; border-top: medium none; padding-left: 7px; border-left: medium none; border-bottom: #7ba0cd 1pt solid\"><span style=\"font-size: 8pt\">Assign Secondary WINS, Used with XAuth \/ L2TP<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>&nbsp;<\/p>\n<p>In the <strong>Vendor-Specific Attribute Information<\/strong> window click <strong>OK<\/strong> to save the changes<br \/>\nIn the <strong>Multivalued Attribute Information<\/strong> window click <strong>OK<\/strong> to save the changes<br \/>\nIn the <strong>Add Attribute<\/strong> window click <strong>Close<\/strong> to save the changes<br \/>\nIn the <strong>Edit Dial-in Profile<\/strong> window click <strong>OK<\/strong> to save the changes<br \/>\n<a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive25.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"151\" alt=\"111107_1019_UsingActive25\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive25-thumb.png\" width=\"516\"><\/a><br \/>\nClick \"<strong>No<\/strong>\"<br \/>\nClose the RAS Policy by clicking <strong>OK<\/strong><\/p>\n<p>Great \u2013 IAS is now ready for authenticating users in the CORELAN\\Remote Access Users groups<\/p>\n<p>Start the service and make sure the service is started automatically when the server boots.<\/p>\n<p>Note : if you have multiple IAS servers, configured to be used by Juniper, you can keep the IAS configuration in sync using the following commands<\/p>\n<p>On the first server, where you are making IAS changes, create a scheduled task that will run the following commands :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, 'Courier New', courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">netsh aaaa dump <span style=\"color: #0000ff\">&gt;<\/span> c:\\iasconfig.txt\ncopy c:\\iasconfig.txt <a href=\"file:\/\/\\\\server2\\c$\">\\\\server2\\c$<\/a><\/pre>\n<\/div>\n<div>(this will export the IAS settings to a file)<\/div>\n<div>\n<p>On the second server, create a scheduled task that will run the following command :<\/p>\n<\/div>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, 'Courier New', courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">netsh exec c:\\iasconfig.txt<\/pre>\n<\/div>\n<div>(This will import the IAS configuration on the second server)<\/div>\n<div>&nbsp;<\/div>\n<h4>Prepare Juniper to use an external Radius Authentication Server<\/h4>\n<p>Log on to the firewall management website, go to <strong>Configuration<\/strong>, <strong>Auth<\/strong> and open <strong>Auth Servers<\/strong><\/p>\n<p>In the right pane, click \"<strong>New<\/strong>\" to add a new Radius server definition<\/p>\n<p>Provide a name for the Auth Server definition (e.g. AD Radius)<\/p>\n<p>Fill out the following field :<\/p>\n<p><strong>IP\/Domain Name<\/strong> : IP address of you Radius server. If you have multiple Radius IAS Servers, you can specify up to 2 backup Radius servers. You'll need to keep the config on all of these servers in sync yourself.<\/p>\n<p>The <strong>timeout<\/strong> value allows you to specify the number of minutes of idle time (no new connections) after which a user needs to authenticate again.<\/p>\n<p>Select Auth and\/or XAuth as account type (XAuth allows you to specify DNS and WINS server for VPN users, Auth should do fine if you just want to use WebAuth to activate policy rules)<\/p>\n<p>Choose the source interface (the interface used to connect to the IAS server). Note : in my setup, even though I've selected the interface on my LAN zone, the IP address used to connect to Radius is the Management IP on that LAN zone, not the interface IP on that interface.<\/p>\n<p>Select RADIUS<\/p>\n<p>Verify that the Radius port is set to 1645 and set the Shared Secret<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive26.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"437\" alt=\"111107_1019_UsingActive26\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive26-thumb.png\" width=\"618\"><\/a><\/p>\n<p>Click <strong>OK<\/strong> to save<\/p>\n<p>Note : you can do the same using the CLI :<\/p>\n<p><span style=\"font-size: 9pt; font-family: courier new\">set auth-server \"AD Radius\" id 1<\/span><\/p>\n<p>set auth-server \"AD Radius\" server-name \"1.1.1.10\"<\/p>\n<p>set auth-server \"AD Radius\" account-type auth xauth<\/p>\n<p>set auth-server \"AD Radius\" src-interface \"ethernet0\/0\"<\/p>\n<p>set auth-server \"AD Radius\" radius secret \"ThisIsATest\"<\/p>\n<p>set auth-server \"AD Radius\" fail-over revert-interval 60<\/p>\n<p>set auth default auth server \"AD Radius\"<\/p>\n<p>set auth radius accounting port 27911<\/p>\n<p>save<\/p>\n<p>Go to <strong>Configuration<\/strong> \u2013 <strong>Auth<\/strong> \u2013 <strong>WebAuth<\/strong> and set the default WebAuth mechanism to your newly create Auth Server<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive27.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"219\" alt=\"111107_1019_UsingActive27\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive27-thumb.png\" width=\"594\"><\/a><\/p>\n<p>Define the text that should be displayed when a user is successfully authenticated and click <strong>Apply<\/strong> <strong>. <\/strong><\/p>\n<p>CLI :<\/p>\n<p><span style=\"font-size: 9pt; font-family: courier new\">set webauth server \"AD Radius\"<\/span><\/p>\n<p>set webauth banner success \"You have been successfully authenticated.&lt;br&gt;You are only allowed to access resources for which you have received explicit authorization.&lt;br&gt;Do not attempt to bypass or break any security measures on this system\/network\"<\/p>\n<p>save<\/p>\n<h4>Enable Web Authentication on one of the interfaces<\/h4>\n<p>Before you can use webauth, you need to create a virtual IP address that will host the WebAuth website. Choose the right interface, depending on where your remote users will connect from.<\/p>\n<p><span style=\"font-size: 9pt; font-family: courier new\">set interface \"ethernet0\/0\" webauth ssl-only<\/span><\/p>\n<p>set interface \"ethernet0\/0\" webauth-ip 1.1.1.3<\/p>\n<p>save<\/p>\n<h4>Create an external group that matches the name of the group that is passed back from the IAS to the Juniper<\/h4>\n<p><span style=\"font-size: 9pt; font-family: courier new\">set user-group \"Remote Access Users\" location external<\/span><\/p>\n<p>set user-group \"Remote Access Users\" type auth<\/p>\n<p>save<\/p>\n<h4>Create a policy that will invoke web authentication<\/h4>\n<p>Create a new firewall policy using the GIU. Select the source and destination addresses, select the service that is allowed. Click \"<strong>Advanced<\/strong>\"<\/p>\n<p>Enable \"<strong>Authentication<\/strong>\" and select \"<strong>WebAuth<\/strong>\". Select \"<strong>User Group<\/strong>\" and pick the newly created External Group from the list<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive28.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"239\" alt=\"111107_1019_UsingActive28\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive28-thumb.png\" width=\"649\"><\/a><\/p>\n<p>Click <strong>OK<\/strong> to save your policy.<\/p>\n<p>You'll see a user icon in the policy, indicating that this policy requires authentication prior to become active for that user<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive29.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"136\" alt=\"111107_1019_UsingActive29\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive29-thumb.png\" width=\"186\"><\/a><\/p>\n<p>Test your setup by trying to access the resources that are allowed by the new policy. It should not work.<\/p>\n<p>Browse to <a href=\"https:\/\/1.1.1.3\">https:\/\/1.1.1.3<\/a>, authenticate using an Active Directory username and password of a user that is member of the \"CORELAN\\Remote Access Users\" group and, upon successful authentication, you should get the banner.<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive30.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" height=\"158\" alt=\"111107_1019_UsingActive30\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive30-thumb.png\" width=\"488\"><\/a><\/p>\n<p>Now try to access the same resource again. It should work now<\/p>\n<p>&nbsp;<\/p>\n<h4>Group Expressions<\/h4>\n<p>We have now successfully set up a policy that requires authentication and AD group membership before being activated. You can combine external groups into group expressions. This feature allows you to use logical operands to combine certain groups and be more specific on who you want to allow on certain rules.<\/p>\n<p>Suppose you have 3 groups (and 3 Radius policies), and you have created 3 External Groups (Group1, Group2 and Group3), and you want to allow a user to activate a rule if the user is part of Group1 and Group2; or if the user is member of Group3, then you can create 2 group expressions and combine those into a third expression :<\/p>\n<p><span style=\"font-size: 9pt; font-family: courier new\">set group-expression \"Remote Access1\" \"Group1\" and \"Group2\"<\/span><\/p>\n<p>set group-expression \"Remote Access2\" \"Group3\"<\/p>\n<p>set group-expression \"Remote Access Usergroup\" \"Remote Access1\" or \"Remote Access2\"<\/p>\n<p>save<\/p>\n<p>You can use the \"Remote Access Usergroup\" in the policy.<\/p>\n<p>Group Expressions make use of the \"or\", \"and\" and\/or \"not\" operators. Objects can be auth users, auth user groups, or other group expressions.<\/p>\n<p>&nbsp;<\/p>\n<h4>A note on AD group hierarchies<\/h4>\n<p>If user1 is member of Group1 and member of Group2 as well, and if all members of Group1 are members of Group2 as well, but you still want to use both External Groups on your Juniper, then you need to pass back multiple groups from the IAS to the Juniper. So you Radius policy, authenticating members of Group1, would need to pass back 2 \"User-Groups\", one with string \"Group1\" and one with \"Group2\". If not, depending on the order of the Radius policies in IAS, you won't be able to use one of the groups, so webauth won't work as expected.<\/p>\n<p>&nbsp;<\/p>\n<h4>Troubleshooting<\/h4>\n<p>On the Juniper, you can debug the radius authentication by using <strong>debug auth radius<\/strong><\/p>\n<p>When a user is authenticated, you can see the authenticated users table using <strong>get auth table<\/strong> This allows you to see the current timeout value for a user as well. If you want to disconnect all users, use <strong>clear auth table<\/strong><\/p>\n<p>On the IAS server, use a sniffer to see if the IP address used by the Juniper matches with what you have defined as a RADIUS client. Additionally you can enable logging on the IAS Server as well.<\/p>\n<p>&nbsp;<\/p>\n<h4>Security<\/h4>\n<p>Radius\/PAP\/Chap are weak protocols \u2013 they are clear text or can be easily decrypted. It is advised to use IPSec to protect traffic from the Juniper firewall to the Radius server(s).<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>As most of the bigger players in the firewall market, Juniper\/Netscreen SreenOS based firewalls allow you to use\/enforce\/require authentication for various reasons : Admin login Client VPN Authentication to open a specific rule on the firewall In a default configuration, ScreenOS uses a local user account database for all types of authentication listed above. In &hellip; <a href=\"https:\/\/www.corelan.be\/index.php\/2007\/11\/11\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> \"Using Active Directory and IAS based Radius for Netscreen WebAuth authentication\"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[31,554,164,127],"tags":[3735,560,32],"class_list":["post-331","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-juniper","category-networking","category-security","tag-juniper-netscreen-screenos","tag-radius","tag-active-directory"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Using Active Directory and IAS based Radius for Netscreen WebAuth authentication - Corelan | Exploit Development &amp; Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/2007\/11\/11\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Using Active Directory and IAS based Radius for Netscreen WebAuth authentication - Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"As most of the bigger players in the firewall market, Juniper\/Netscreen SreenOS based firewalls allow you to use\/enforce\/require authentication for various reasons : Admin login Client VPN Authentication to open a specific rule on the firewall In a default configuration, ScreenOS uses a local user account database for all types of authentication listed above. In &hellip; Continue reading &quot;Using Active Directory and IAS based Radius for Netscreen WebAuth authentication&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/2007\/11\/11\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:published_time\" content=\"2007-11-11T00:31:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive1-thumb1.png\" \/>\n<meta name=\"author\" content=\"corelanc0d3r\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@corelanc0d3r\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/11\\\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/11\\\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\\\/\"},\"author\":{\"name\":\"corelanc0d3r\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\"},\"headline\":\"Using Active Directory and IAS based Radius for Netscreen WebAuth authentication\",\"datePublished\":\"2007-11-11T00:31:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/11\\\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\\\/\"},\"wordCount\":2586,\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/11\\\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2008\\\/09\\\/111107-1019-usingactive1-thumb1.png\",\"keywords\":[\"juniper netscreen screenos\",\"radius\",\"Active Directory\"],\"articleSection\":[\"Active Directory\",\"Juniper\",\"Networking\",\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/11\\\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/11\\\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\\\/\",\"name\":\"Using Active Directory and IAS based Radius for Netscreen WebAuth authentication - Corelan | Exploit Development &amp; Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/11\\\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/11\\\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2008\\\/09\\\/111107-1019-usingactive1-thumb1.png\",\"datePublished\":\"2007-11-11T00:31:39+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/11\\\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/11\\\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/11\\\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2008\\\/09\\\/111107-1019-usingactive1-thumb1.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2008\\\/09\\\/111107-1019-usingactive1-thumb1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/11\\\/11\\\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Using Active Directory and IAS based Radius for Netscreen WebAuth authentication\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\",\"name\":\"corelanc0d3r\",\"pronouns\":\"he\\\/him\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"caption\":\"corelanc0d3r\"},\"description\":\"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.\",\"sameAs\":[\"https:\\\/\\\/www.corelan-training.com\",\"https:\\\/\\\/instagram.com\\\/corelanc0d3r\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/petervaneeckhoutte\\\/\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\"],\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/author\\\/admin0\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Using Active Directory and IAS based Radius for Netscreen WebAuth authentication - Corelan | Exploit Development &amp; Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/2007\/11\/11\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\/","og_locale":"en_US","og_type":"article","og_title":"Using Active Directory and IAS based Radius for Netscreen WebAuth authentication - Corelan | Exploit Development &amp; Vulnerability Research","og_description":"As most of the bigger players in the firewall market, Juniper\/Netscreen SreenOS based firewalls allow you to use\/enforce\/require authentication for various reasons : Admin login Client VPN Authentication to open a specific rule on the firewall In a default configuration, ScreenOS uses a local user account database for all types of authentication listed above. In &hellip; Continue reading \"Using Active Directory and IAS based Radius for Netscreen WebAuth authentication\"","og_url":"https:\/\/www.corelan.be\/index.php\/2007\/11\/11\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\/","og_site_name":"Corelan | Exploit Development &amp; Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_published_time":"2007-11-11T00:31:39+00:00","og_image":[{"url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive1-thumb1.png","type":"","width":"","height":""}],"author":"corelanc0d3r","twitter_card":"summary_large_image","twitter_creator":"@corelanc0d3r","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.corelan.be\/index.php\/2007\/11\/11\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\/#article","isPartOf":{"@id":"https:\/\/www.corelan.be\/index.php\/2007\/11\/11\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\/"},"author":{"name":"corelanc0d3r","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f"},"headline":"Using Active Directory and IAS based Radius for Netscreen WebAuth authentication","datePublished":"2007-11-11T00:31:39+00:00","mainEntityOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2007\/11\/11\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\/"},"wordCount":2586,"publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"image":{"@id":"https:\/\/www.corelan.be\/index.php\/2007\/11\/11\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\/#primaryimage"},"thumbnailUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive1-thumb1.png","keywords":["juniper netscreen screenos","radius","Active Directory"],"articleSection":["Active Directory","Juniper","Networking","Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/2007\/11\/11\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\/","url":"https:\/\/www.corelan.be\/index.php\/2007\/11\/11\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\/","name":"Using Active Directory and IAS based Radius for Netscreen WebAuth authentication - Corelan | Exploit Development &amp; Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2007\/11\/11\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\/#primaryimage"},"image":{"@id":"https:\/\/www.corelan.be\/index.php\/2007\/11\/11\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\/#primaryimage"},"thumbnailUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive1-thumb1.png","datePublished":"2007-11-11T00:31:39+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/2007\/11\/11\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/2007\/11\/11\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/index.php\/2007\/11\/11\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\/#primaryimage","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive1-thumb1.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/111107-1019-usingactive1-thumb1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/2007\/11\/11\/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"Using Active Directory and IAS based Radius for Netscreen WebAuth authentication"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]},{"@type":"Person","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f","name":"corelanc0d3r","pronouns":"he\/him","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","url":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","caption":"corelanc0d3r"},"description":"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.","sameAs":["https:\/\/www.corelan-training.com","https:\/\/instagram.com\/corelanc0d3r","https:\/\/www.linkedin.com\/in\/petervaneeckhoutte\/","https:\/\/x.com\/corelanc0d3r"],"url":"https:\/\/www.corelan.be\/index.php\/author\/admin0\/"}]}},"views":11782,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/331","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=331"}],"version-history":[{"count":0,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/331\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=331"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/categories?post=331"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/tags?post=331"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}