Authentication Service Delivery Made EASY™
Strong Authentication
for
Juniper Networks
SSL VPN SSO and OWA
with
2
Copyright
Copyright © 2011. CRYPTOCard Inc. All rights reserved. The information contained herein is subject to change without notice. Proprietary Information of CRYPTOCard Inc.
Disclaimer
The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than CRYPTOCard Inc. While every effort is made to ensure the accuracy of content offered on these pages, CRYPTOCard Inc. shall have no liability for errors, omissions or inadequacies in the content contained herein or for interpretations thereof.
Use of this information constitutes acceptance for use in an “AS IS” condition, without warranties of any kind, and any use of this information is at the user’s own risk.
No part of this documentation may be reproduced without the prior written permission of the copyright owner. CRYPTOCard Inc. disclaims all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall CRYPTOCard Inc. be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if CRYPTOCard Inc. has been advised of the possibility of such damages. Some provinces, states or countries do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.
Links and addresses to Internet resources are inspected thoroughly prior to release, but the ever-changing nature of the Internet prevents CRYPTOCard Inc. from guaranteeing the content or existence of the resource. When possible, the reference contains alternate sites or keywords that could be used to acquire the information by other methods. If you find a broken or inappropriate link, please send an email with the topic name, link, and its behaviour to [email protected]. The software described in this document is furnished under a license and may be used or copied only in accordance with the terms of the license.
Trademarks
Overview 3
Contact Information
CRYPTOCard’s technical support specialists can provide assistance when planning and implementing CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment. CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard channel partner, please contact your partner directly for support needs.
To contact CRYPTOCard directly:
United Kingdom
2430 The Quadrant, Aztec West, Almondsbury, Bristol, BS32 4AQ, U.K.
Phone: +44 870 7077 700 Fax: +44 870 70770711 [email protected]
North America
600-340 March Road, Kanata, Ontario, Canada K2K 2E4
Phone: +1 613 599 2441 Fax: +1 613 599 2442 [email protected]
Overview 4
Overview
By default Juniper SSL VPN logons requires that a user provide a correct user name and password to successfully logon. This document describes the steps necessary to augment this logon mechanism with strong authentication by adding a requirement to provide a one-time password generated by a CRYPTOCard token using the implementation instructions below.
Applicability
This integration guide is applicable to:
Security Partner Information
Security Partner Juniper Networks
Product Name and Version SA 700 / 6.2R1 (build 13255) Protection Category SSL Remote Access
Authentication Service Delivery Platform Compatibility
Publication History
Date Changes Version
April 15, 2009 Document created 1.0
July 9, 2009 Copyright year updated 1.1
Preparation and Prerequisites 5
Preparation and Prerequisites
1. Ensure end users can authenticate through the Juniper SSL VPN with a static password before configuring RADIUS authentication.
2. For BlackShield Server:
a. BlackShield ID NPS IAS Agent has been installed and configured on the NPS IAS Server to accept Radius authentication from the Juniper SSL VPN.
b. Ensure that Ports 1812 UDP and 1813 UDP are open to the NPS / IAS Server
c. The NPS IAS Agent must be configured to use either port 80 or port 443 to send authentication requests to the BlackShield ID server.
3. For BlackShield Cloud:
a. Add a RADIUS Auth Node configured to accept authentication requests from the Juniper SSL VPN.
4. For BlackShield Server or BlackShield Cloud:
a. Create or define a “Test” account that will be used to verify that the Juniper SSL VPN has been properly configured. Ensure that the user name for this account exists in BlackShield ID by locating it in the Assignment Tab.
b. Verify that the “Test” user account can successfully authenticate with a static password, to the Juniper SSL VPN before attempting to apply changes and test authentication using a token.
Configuration 6
Configuration
Configuring Juniper SSL VPN for Two Factor Authentication
• Log into the Juniper SSL VPN Adminweb portal.
• To add a new Radius Server, click on “Auth Servers”
• From the dropdown box, and select "Radius Server"
• Then click on the "New Server..." button
• Enter in a Name of the “New Radius Server”
• Enter in the IP address or DNS name of the Primary BlackShield ID Radius Server into the “Radius Server” field • Enter in a Shared Secret into the
“Shared Secret” field
• Place a checkmark in the “Users authenticate using tokens and one-time passwords” checkbox.
• Click “Save Changes” when completed. Optional:
Configuration 7
• Click on “Users” Authentication Realm section
• Select the Role Mapping Tab • Click on New Rule
• Beside the “Rule based on” click on the drop down menu and select “User attribute”.
Configuration 8
• In the Name field, enter a name for reference. In this example “CC Role Map” was used.
• Select Filter-Id (11) for the attribute, and enter in CCUser1 for the
attribute name.
• Click Save Changes when finished.
• In the General tab of the User Realm add the Active Directory Authentication as the first server.
• Check Additional authentication server and add the RADIUS authentication.
• Beside Username is: check predefined as: and enter <USERNAME>. Do not leave it as <USER>.
Configuration 9
• In Resource Profiles / Web add a new Profile for OWA. • Make sure in to add the Users in the Roles tab.
Configuration 10
Configuration 11
Testing CRYPTOCard Authentication
• The next step is to test the new configured CRYPTOCard Two Factor Authentication.
• Open up a web browser and go to http://JuniperSSLVPN.DNS.Name/ • Enter in your username, Active
Directory password and a
CRYPTOCard generated Passcode Click “Sign In”
Configuration 12
Failed Logons
Symptom: Login Failed Indication: 11/19/2008 12:36:49 PM
Henry Authentication Failure 312191514 192.168.21.120 Invalid OTP Possible
Causes:
The One Time Password provided for the user is incorrect.
Solution: Attempt to re-authenticate against BlackShield again. If it comes up as invalid OTP again, test the token out via the BlackShield ID Manager.
Symptom: Login Failed Indication: 11/19/2008 12:47:24 PM
Henry Authentication Failure 312191514 192.168.21.120 Invalid PIN Possible
Causes:
The PIN provided for the user is incorrect.
Solution: Attempt to re-authenticate against BlackShield again. If it comes up as invalid PIN again, changing the initial PIN back to default and forcing a PIN change would solve the issue, or have the user access the BlackShield Self Service page.
Symptom: Login Failed Indication: 11/19/2008 12:36:49 PM
Henry Authentication Failure 312191514 192.168.21.120 Invalid OTP Possible
Causes:
The One Time Password provided for the user is incorrect.
Solution: Attempt to re-authenticate against BlackShield again. If it comes up as invalid OTP again, test the token out via the BlackShield ID Manager.
