RSA SecurID Ready Implementation Guide
Last Modified: September 30, 2005
Partner Information
Product Information
Partner Name Juniper Networks
Web Site www.juniper.net
Product Name NetScreen SA
Version & Platform 5.1R2 (Build 9029)
Product Description Juniper Networks Netscreen SSL VPNs lead the market with complete range of SSL VPN appliances, with the form factors and features tailored to meet the needs companies of all sizes. Netscreen SSL VPNs are based on the Instant Virtual Extranet (IVE) platform, which uses SSL, the security protocol found in all standard Web browsers. The use of SSL eliminates the need for client software deployment, changes to internal servers, and costly ongoing maintenance and desktop support. Juniper Networks SSL VPN appliances combine the overall category benefit of a lower total cost of ownership compared to traditional solutions, with unique end-to-end security features. Dynamic access privilege management adds granular access control for each user and for each resource.
Product Category Perimeter Devices (Firewalls, VPNs & ID)
Solution Summary
Partner Integration Overview
Authentication Methods Supported Native RSA SecurID Authentication, and RADIUS
List Library Version Used 5.2
RSA Authentication Manager Name Locking Yes
RSA Authentication Manager Replica Support Full Replica Support
Secondary RADIUS Server Support Yes (2)
Location of Node Secret on Agent See appendix for more information
RSA Authentication Agent Host Type Communication Server
RSA SecurID User Specification Designated Users, All Users
RSA SecurID Protection of Administrative Users No
RSA Software Token API Integration No
Use of Cached Domain Credentials No
Product Requirements
Partner Product Requirements: Juniper Networks Netscreen SA
Self-contained appliance
Firmware Version 5.1R2 (Build 9029)
Agent Host Configuration
To facilitate communication between the Juniper Networks NetScreen SA and the RSA Authentication
Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication
Manager local database and RADIUS Server Database (When using RADIUS Authentication Protocol).
The Agent Host record identifies the Juniper Networks NetScreen SA within its database and contains
information about communication and encryption.
To create the Agent Host record, you will need the following information.
• Hostname
• IP Addresses for all network interfaces
• RADIUS Secret (When using RADIUS Authentication Protocol)
When adding the Agent Host Record, you should configure the Juniper Networks NetScreen SA as a
Communications Server. This setting is used by the RSA Authentication Manager to determine how
communication with the Juniper Networks NetScreen SA will occur.
Note: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network.
Please refer to the appropriate RSA Security documentation for additional information about Creating,
Modifying and Managing Agent Host records.
Partner Authentication Agent Configuration
Before You Begin
This section provides instructions for integrating the partners’ product with RSA SecurID Authentication.
This document is not intended to suggest optimum installations or configurations.
It is assumed that the reader has both working knowledge of all products involved, and the ability to
perform the tasks outlined in this section. Administrators should have access to the product
documentation for all products in order to install the required components.
All vendor products/components must be installed and working prior to the integration. Perform the
necessary tests to confirm that this is true before proceeding.
Documenting the Solution
A. Native RSA SecurID Authentication Support
1. Get the sdconf.rec file from the RSA Authentication Manger and store it on the machine from which you will manage the Juniper Networks Netscreen-SA.
2. Log into the Juniper Networks Netscreen-SA Administrator Console. The administrator console can be reached via a web browser by entering the following URL
https://hostname/admin
.3. In the Administrator Console, choose Signing In - AAA Servers.
4. From the drop-down list, choose ACE Server.
5. Click New Server. The configuration page for Authentication Manger “ACE Server” appears.
6. Fill in the appropriate information.
• Name: Enter a name to identify the ACE Server instance. Because users may not readily understand the
concept of signing into an authentication server, it is recommended that you use a familiar name that conveys a group to which the user belongs, such as “corporate” or “bostonoffice”.
• Port: Change if needed but default is 5500.
• Import new config file: Click the Browse button to browse to the RSA Authentication Manger configuration
file (sdconf.rec) saved in Step 1 above. 7. Click Save Changes.
8. Go to Users – Roles and create a role for your RSA SecurID authentication users based on your policies.
9. Go to Users – Authentication.
10. Click New.
11. Enter the appropriate information for this Authentication Realm.
• Name: Give the Realm a Name.
• Authentication Server: Select the RSA Authentication Manager definition defined in step 6 above.
12. Click Save Changes.
13. Click New Rule and create a rule.
14. Click the Save Changes button to save your configuration.
After successfully configuring the server, RSA SecurID authentication is enabled on the Juniper Networks
Netscreen SA. The server doesn’t have to be restarted. Users who are configured to use RSA SecurID
authentication can sign in with their username and their RSA SecurID PASSCODE.
B. Authentication Examples
The user will see the following user interface when authenticating against the RSA Authorization Server.
• Standard sign-in screen. To access sign-in screen, enter the Juniper machine’s URL in a browser. The
machine’s URL is https://a.b.c.d where a.b.c.d is the machine IP address.
• The user enters their username and RSA SecurID PASSCODE and selects the RSA Authorization Manager Server from the drop-down menu.
• On success, the user enters the Juniper box. • On failure, the user is returned to the sign-in page • New PIN screens.
• Options for User created or System Generated PIN.
• User created PIN.
• Pin Accepted.
• System Generated PIN.
• Next TOKENCODE Screen.
C. RADIUS Authentication Support
1. Follow the instructions in the RSA Authentication Server Guide to enable RADIUS Support on the RSA Authentication Server.
2. Log into the Juniper Networks Netscreen-SA Administrator Console. The administrator console can be reached via a web browser by entering the following URL https://hostname/admin.
3. From the main menu, choose Signing In > AAA Servers.
4. Select RADIUS Server from the drop-down menu and click Create.
5. Enter the RADIUS Server IP address, port number, and shared secret.
6. Click Save changes to save the configuration.
7. Go to Users – Roles and create a role for your RSA SecurID Authenticated users based on your policies.
8. Go to Users – Authentication.
9. Click New.
10. Enter the appropriate information for this Authentication Realm.
• Name: Give the Realm a Name.
• Authentication Server: Select the RADIUS definition defined in step 5 above.
11. Click Save Changes.
12. Click New Rule and create a rule.
13. Click the Save Changes button to save your configuration.
After successfully configuring the server, RADIUS authentication is enabled. Users who are configured to
use RADIUS authentication can sign in with their username and PASSCODES.
.
Certification Checklist
Date Tested: September 30, 2005
Certification Environment
Product Name
Version Information
Operating System
RSA Authentication Manager
Windows 2003 SP1Juniper Networks NetScreen
SA
5.1R2 (Build 9029) 5.1R2 (Build 9029)
Mandatory Functionality
RSA Native Protocol
RADIUS Protocol
New PIN Mode
Force Authentication After New PIN Force Authentication After New PIN System Generated PIN System Generated PIN
User Defined (4-8 Alphanumeric) User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) User Defined (5-7 Numeric) User Selectable User Selectable
Deny 4 and 8 Digit PIN Deny 4 and 8 Digit PIN * Deny Alphanumeric PIN Deny Alphanumeric PIN *
PASSCODE
16 Digit PASSCODE 16 Digit PASSCODE 4 Digit Password 4 Digit Password
Next Tokencode Mode
Next Tokencode Mode Next Tokencode Mode
Load Balancing / Reliability Testing
Failover (3-10 Replicas) Failover *
Name Locking Enabled Name Locking Enabled
No RSA Authentication Manager No RSA Authentication Manager
Additional Functionality
RSA Software Token API Functionality
System Generated PIN N/A System Generated PIN N/A User Defined (8 Digit Numeric) N/A User Defined (8 Digit Numeric) N/A
User Selectable N/A User Selectable N/A
Next Tokencode Mode N/A Next Tokencode Mode N/A
Domain Credential Functionality
Determine Cached Credential State N/A Determine Cached Credential State Set Domain Credential N/A Set Domain Credential
Retrieve Domain Credential N/A Retrieve Domain Credential
SWA = Pass = Fail N/A = Non-Available Function
Known Issues
1. PIN rejected: If a user were to enter an invalid PIN during PIN creation when authenticating via RADIUS it appears to the end user that their PIN has been accepted when it really has not. In the RSA Authentication Manger Log there will be an error that the new PIN was rejected.
2. Failover: New-PIN and next Tokencode modes do not work all the time when one of the RADIUS Servers are down.
3. System Generated and User Selectable PIN: System Generated and User Selectable PINs do not work via RADIUS authentication
