Juniper JUNOS OS 10.4 - RELEASE NOTES Release Note page 99

Copyright © 2010, Juniper Networks, Inc.
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
This feature is used to perform the following:
Assign an IP address to the client after successful authentication.
Provide a mechanism in AUTHD for linking an address pool to a client profile and
assigning an IP address to the client from the pool.
Provide a mechanism in AUTHD for assigning IP version 4 (IPv4) addresses to the
users.
Provide different IP addresses for multiple logins by the same user.
Allow configuration changes in the address pool after address assignment.
Address pools are defined at the [edit access address-assignment] hierarchy.
[Junos OS CLI Reference, Junos OS Administration Guide for Security Devices]
Local IP address management for VPN XAuth support—This feature is supported on
SRX100, SRX210, SRX240, SRX650, J4350, and J6350 devices.
When you configure extended authentication (XAuth), you must enter the username
and password, after the Internet Key Exchange (IKE) phase 1 security association (SA)
is established. AUTHD verifies the credentials received from you.
After successful authentication, AUTHD sends the following network parameters to
IKE or XAuth:
IP address
Domain Name System (DNS)
Windows Internet Naming Service (WINS)
The IP address can be drawn from a locally configured IP address pool. AUTHD requires
IKE or XAuth to release the IP address when it is no longer in use.
IKE provides a mechanism for establishing IP Security (IPsec) tunnels.
[Junos OS CLI User Guide, Junos OS Security Configuration Guide]
Support group Internet Key Exchange (IKE) IDs for dynamic VPN configuration —This
feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.
The existing design of the dynamic virtual private network (VPN) uses unique Internet
Key Exchange (IKE) ID for each user connection. For each user, VPN needs to be
configured with an individual IKE gateway, an IPsec VPN, and a security policy using
the IPsec VPN. This is cumbersome when there are a large number of users. The design
is modified to allow a number of users to share a set of IKE or IPsec VPN (or policy
configuration) using shared-ike-id or group-ike-id. This reduces the number of times
the VPN needs to be configured.
The shared-ike-id and group-ike-id allow you to configure VPN once for multiple users.
All users connecting through a shared-ike-id configuration use the same IKE ID and
preshared key. The user credentials are verified in the extended authentication (XAuth)
99