Jed Laundry

One of the features Juniper added to the SRX Dynamic VPN starting with Junos 12.1X44 is the ability to set the VPN client group via RADIUS (eliminating the need to specify the client username).

What Juniper don’t tell you is how to do it; using the Juniper-Local-Group-Name VSA (vendor 2636 option 46). So, after some trial and error, here’s how:

Step 1: Configure the access profile and create the Dynamic VPN client group:

set security dynamic-vpn clients dynclient-testing remote-protected-resources 192.168.1.0/24
set security dynamic-vpn clients dynclient-testing remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients dynclient-testing ipsec-vpn vpn-dynamic
set security dynamic-vpn clients dynclient-testing user-groups dynvpn_testing

Step 2: Add the following line to /usr/share/freeradius/dictionary.juniper:

ATTRIBUTE   Juniper-Local-Group-Name        46  string

Step 3: Assign the user the group through /etc/raddb/users (or however you do it):

testuser    Cleartext-Password := "Testing123"
            Juniper-Local-Group-Name = dynvpn_testing

And… well, test!