NSD1178 How to set Juniper SSL / VPN remote access policies based on the group membership from ldap user database Fact One Time Password Server Juniper SA SSL/VPN Situation Setting Juniper SSL/VPN remote access policies based on the group membership from LDAP User database with Nordic Edge One Time Password Server Solution Step 1. - Installing Nordic Edge plugin RADIUSAttributeGroupMembership Copy attached file RADIUSAttributeGroupMembership.class in directory <OTPServer>/ext Copy attached file groupmembership.cfg in directory <OTPServer> Step 2.- Configuring OTPServer RADIUS Client Select Radius & Client tab Highlight Radius Client Select “Edit Client” Highlight User Database Select Options Select Add Option Configure Radius Attribute as follows: Select OK to save attribute value configuration. Select OK to save Radius attribute configuration. Step 3. - Configuring group membership filter Choose user groups from LDAP user database. As an example groups: VPN-user,VPN-helpdesk,VPN-support,VPN-admins will be used. Step 3.1 Modify groupmembership.cfg For Microsoft Active Directory Modify groupmembership.cfg: GroupNameTag=Groupname: Separator=, GroupsToCheck=VPN-user,VPN-helpdesk,VPN-support,VPN-admins UserIDAttribute=samaccountname GroupMemberAttribute=memberOf For Novell eDirectory Modify groupmembership.cfg: GroupNameTag=Groupname: Separator=, GroupsToCheck=VPN-user,VPN-helpdesk,VPN-support,VPN-admins UserIDAttribute=CN GroupMemberAttribute=groupmembership 4- Configuring Juniper SSL/VPN Start Juniper Central Manager, select Users / User Roles and create roles matching the GroupsToCheck list from groupmembership.cfg. In this example four roles are created: VPN-User, VPN-Helpdesk, VPN-Support and VPN-Admins Select Users / Users Realms and open your Realm. In this example the Realm is called “User”. On the General Page make sure the Directory / Attribute is set to “Same as above”. Select the page “Role Mapping” and configure the Rule based on “User attribute” Select “Update” In this example Role Mapping Rule for Role VPN-User is created as shown below: Select Attribute Class (25) Choose “Is” and write group name including GroupNameTag from groupmembership.cfg, i.e “Groupname:VPN:user” Assign rule to Role “VPN-User” Save changes and repeat for all user groups in the GroupsToCheck list from groupmembership.cfg. When completed, this example's configuration looks like the following: The Juniper policies are now matching user group membership set in the LDAP user database and groupmembership.cfg.