Juniper SSL VPN Authentication QUICKStart Guide

(1)

Authentication Service Delivery Made EASY™

Juniper SSL VPN

Authentication

QUICKStart Guide

(2)

2

Copyright © 2012 SafeNet, Inc. All rights reserved.

All attempts have been made to make the information in this document complete and accurate. SafeNet, Inc. is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications contained in this document are subject to change without notice. SafeNet and SafeNet Authentication Service are either registered with the U.S. Patent and Trademark Office or are trademarks of SafeNet, Inc., and its subsidiaries and affiliates, in the United States and other countries. All other trademarks referenced in this Manual are trademarks of their respective owners.

SafeNet Hardware and/or Software products described in this document may be protected by one or more U.S. Patents, foreign patents, or pending patent applications.

Please contact SafeNet Support for details of FCC Compliance, CE Compliance, and UL Notification.

Support

SafeNet technical support specialists can provide assistance when planning and implementing SafeNet Authentication Service. In addition to aiding in the selection of the appropriate authentication products, SafeNet can suggest deployment procedures that will provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment.

SafeNet works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a SafeNet channel partner, please contact your partner directly for support needs.

To contact SafeNet Authentication Service support directly:

Europe / EMEA North America

(3)

3

Publication History

Date Changes Version

2012.06.30 Updates to reflect SafeNet branding. 1.3

2010.09.15 Updated for GrIDsure, MP and different auth methods 1.2

2009.07.09 Copyright year updated 1.1

(4)

Applicability 4

Applicability

The information in this document applies to: • SafeNet Authentication Service (SAS)

A cloud authentication service of SafeNet Inc.

• SafeNet Authentication Service – Service Provider Edition (SAS-SPE) The software used to build a SafeNet authentication service.

• SafeNet Authentication Service – Private Cloud Edition (SAS-PCE) A term used to describe the implementation of SAS-SPE on-premise.

(6)

Environment 6

Environment

This integration guide is applicable to:

Summary

Security Partner Juniper Networks

(7)

Overview 7

Overview

(8)

Preparation and Prerequisites 8

Preparation and Prerequisites

• Ensure a test user account can authenticate through the Juniper SSL VPN with a static password before configuring the Cisco Secure ASA to use RADIUS authentication.

• Ensure that Ports 1812 UDP and 1813 UDP are open to the SafeNet Authentication Service. • If using SAS-SPE or SAS-PCE:

• Configure the SafeNet Authentication Service Agent for IAS/NPS or Juniper Steel Belted RADIUS to accept authentication requests from the ASA device.

• Add the test user account to SAS and assign a token. • If use SAS

• Add the Juniper SSL VPN as an Auth Node (Comms tab | Auth Nodes Module) • Add the test user account to SAS and assign a token.

Configuration

Configuring Juniper SSL VPN for Two Factor Authentication

• Log into the Juniper SSL VPN Admin web portal.

• To add a new Radius Server, click on “Auth Servers”

• From the dropdown box, and select "Radius Server"

(9)

Configuration 9 • Enter in a Name of the “New Radius Server”

• Enter in the IP address or DNS name of the Primary SafeNet Authentication Service Radius Server into the “Radius Server” field

• Enter in a Shared Secret into the “Shared Secret” field

• Place a checkmark in the “Users authenticate using tokens and one-time passwords” checkbox.

• Click “Save Changes” when completed.

Optional:

• If there is a Secondary SafeNet Authentication Service Radius Server, please fill in all fields within the Backup Server section.

NOTE: If the Juniper SSL VPN has other realms created, then please skip the rest of this section and go to “Advanced Configuration” section.

After the New Radius Server has been created, the Radius Server need to be applied to a User Realm. • On the left hand side, select User Realms • Select Users

(10)

Configuration 10 Under the Servers section, there will three down

fields. They are: • Authentication • Directory/Attribute • Accounting

Change them “Authentication” and “Accounting” to use the new Radius Server was just created. Change Directory/Attribute to use “Same as above”

Click “Save Changes” when completed.

Next is to check the Sign-in Policies section to ensure that the default User URL is set to allow all User Realms to authenticate.

Ensure that the Authentication Realm(s) section has say ALL. This means that any User Realms created within the Juniper SSL VPN can authenticate to this User URL.

Testing SafeNet Authentication

Next step is to test authentication against SafeNet Authentication Service via RADIUS with the newly configured Juniper SSL VPN web login portal.

Open up a web browser and go to: http://JuniperSSLVPN.DNS.Name/

Enter in a username and the One Time Password from a SafeNet Token.

(11)

Advanced Configuration 11 If the authentication is successful, the user will see the following screen.

Advanced Configuration

After configuring the Juniper SSL VPN for Radius authentication, the Juniper device may have issues applying the proper User Realm to the user that is authenticating. This is due to the RADIUS Server returns an access-accept, but the Juniper SSL VPN does not know which role to map to that user. To resolve this issue, a RADIUS Return Attribute of Filter-Id is added to the role mapping.

Adding Filter-Id to a User Realm in Juniper SSL VPN

Log into the Juniper SSL VPN Administrative web

portal

• Go down to the “Users” section • Highlight “User Realms”

• Then highlight the User Realm where the Filter-Id attribute will be added

(12)

Advanced Configuration 12 Under the Role Mapping tab, click on the “New

Rule…” button.

In the new Role Mapping Rule webpage please perform the following:

• Under the “rule based on:”, click the dropdown menu and select “User attribute” • Then click the Update button

• Under the “Attribute:” section, click the dropdown menu and select Filter-Id (11) • In the textbox below, type in a name for the

Filter-Id (eg. Information Technology) • Under the “…then assign these roles”, select

the Role (s) that will be assigned users after a successful authentication and the correct Filter-Id has been returned to the Juniper SSL VPN device.

Click “Save Changes” when finished.

Next, check the “Sign-in Policies” section to ensure that the default User URL is set to use the User Realm that has the Filter-Id added as a Role Mapping.

Ensure that the Authentication Realm(s) section has only the correct User Realm displayed. This means that that User Realms created within the Juniper SSL VPN can authenticate to this User URL.

Adding Filter-Id attribute to Remote Access Policy (Windows 2003)

(13)

Advanced Configuration 13 Network Policy Server, on Windows 2008, refer to Creating new Network Policy with Filter-Id attribute (Windows 2008) on page 15.

Open up Microsoft Internet Authentication Service (2003)

• Select “Remote Access Policies”

• Right click Remote Access Policy created for SafeNet (in this example “Authenticate to BlackShield” and select “Properties”

Perform the following “Authenticate to BlackShield Properties” popup:

• NAS-Port-Type matches “Ethernet”

• Click the “Remove” button, then click the “Add” button

• Select “Day-And-Time-Restrictions”, and click “Add” • Select the “Permitted” radio button

• Click “OK”, and then “Apply”

• In the Authenticate to BlackShield Properties” popup, click “Edit Profile…”

• In the “Edit Dial-in Profile” popup, click the “Advanced” tab.

• Click the “Add” button

(14)

Advanced Configuration 14 • In the new pop up, click the “Add” button

• Another pop up appears. Enter in the Filter-Id value that was entered in Adding Filter-Id to a User Realm in Juniper SSL VPN on page 11.

• Click “OK” when finished, “OK” again, then click “Close”

The “Advanced” tab will now display the new Filter-Id that has been added to this Remote Access Policy. • Click “OK”, and then “OK” again when finished.

• Expand “Connection Request Processing” in IAS • Select “Connection Request Policies”

(15)

Advanced Configuration 15 • In the Authentication tab, select the “Authenticate

requests on this server” radio button • Click “OK” when finished.

• After all changes have been made, open up Windows Services, and restart “Internet Authentication

Service”.

Creating new Network Policy with Filter-Id attribute (Windows 2008)

This is section is specifically for adding a new Network Policy along with a Filter-Id attribute to Network Policy within Windows 2008 Network Policy Server (NPS). To add a Filter-Id attribute to a Remote Access Policy in Microsoft Internet Authentication Service on Windows 2003, refer to Adding Filter-Id attribute to Remote Access Policy (Windows 2003) on page 12.

• Open up Microsoft Network Policy Server (2008)

• Expand “Policies”

• Select “Network Policies”

• Right click “Network Policies” and select “New”

• Enter in a name for the new Network Policy under the “Policy name” field

• Ensure “Type of network access server” is set to “Unspecified”

(16)

Advanced Configuration 16 • Click the “Add” button to add a new condition

• Scroll down and select “Day and Time Restrictions”, and Click “Add”

• Select the “Permitted” radio button, and then Click “OK”

• Click “Next” to continue

• Select the “Access granted” radio button • Click the “Next” button three times

• Click the “Add” button to add a new attribute • Select “Filter-Id”, and click “Add”

• Click the “Add” button, then enter in the Filter-Id value that was entered Adding Filter-Filter-Id to a User Realm in Juniper SSL VPN on page 11. • Click “OK”, then OK again

• Click the “Close” button • Click “Next”

• Then click “Finish” to create the New Network Policy

• Select “Connection Request Policies” in NPS • Right click on the Policy that was created for

(17)

Juniper SSL VPN and GrIDsure support 17 • Select the “Settings” tab

• Then select “Authentication” on the left hand side

• On the right hand side, select the

“Authenticate requests on this server” radio button

• Click “OK” when finished

• After all changes have been made, open up Windows Services, and restart “Network Policy Server”

Juniper SSL VPN and GrIDsure support

The Juniper SSL VPN login page can be configured to authenticate hardware and GrIDsure token users. 1. The user enters the Juniper SSL VPN URL into their web browser.

2. The Juniper SSL VPN login page displays a Username and OTP field as well as a Login and Get GrID button.

3. The user enters their username into the Username field then selects Get Grid. The request is submitted from the user’s web browser to the SafeNet Authentication Service Self Service site. 4. The SafeNet Authentication Service Self Service site displays the user’s GrIDsure Grid within the

Juniper SSL VPN login page.

5. The user enters their GrIDsure password into the OTP field then submits the request. 6. The Juniper SSL VPN device performs a RADIUS authentication request against the SafeNet

Authentication Service. If the SafeNet credentials entered are valid, the user is presented with their Juniper SSL VPN portal otherwise, the attempt is rejected.

Prerequisites

1. The Juniper SSL VPN device must support uploading custom login pages (Juniper SSL VPN model SA 2500 or higher).

(18)

Juniper SSL VPN and GrIDsure support 18 3. The Juniper device must already be configured to perform RADIUS authentication against the

SafeNet Authentication Service.

Adding the SafeNet Authentication Service - Self Service URL to the gridsure.js

file

1. Open gridsure.js with a text editor.

2. Change the value of gridMakerURL to reflect the location of your SafeNet Authentication Service Self Service website then save the file.

Example:

• var gridMakerURL =

"https://www.mycompany.com/safenetss/index.aspx?getChallengeImage=true&userName=";

Adding the SafeNet GrIDsure enabled Sign-in page.

1. Login as an administrator to the Juniper device. 2. Select Authentication, Signing In, Sign-In Pages. 3. Select the "Upload Custom Pages" button.

4. In the "Sample Templates Files" section select "Sample". Download sample.zip to a temporary folder.

5. Rename the sample.zip file to cryptocard.zip.

6. Add the gridsure.js and LoginPage.thtml file to cryptocard.zip (if prompted, overwrite the existing LoginPage.thtml file).

7. In "Upload Custom Sign-In Pages", enter "CRYPTOCard GrID Enabled" into the Name field and in "Page Type" select "Access". In "Templates File" browse to the cryptocard.zip file then select the "Upload Custom Pages" button.

Assigning the SafeNet GrIDsure enabled Sign-in page to a Sign-in Policy.

1. Login as an administrator to the Juniper device.

2. Select Authentication, Signing In, Sign-In Policies.

3. Select the CRYPTOCard authentication enabled "User URL".

(19)

Juniper SSL VPN and GrIDsure support 19

Login as a SafeNet GrIDsure enabled user.

1. Open a web browser and browse to the SafeNet enabled Juniper SSL VPN sign-in page. 2. Enter the username then select the "Get Grid" button, a grid will appear in the screen. 3. Enter the PIP into the password field then select Sign-in.

Optional - Enabled Challenge-response requests

1. Login as an administrator to the Juniper device. 2. Select Authentication, Auth. Servers.

3. Select the SafeNet RADIUS enabled authentication server. 4. In "Custom Radius Rules" select "New Radius Rule...".

5. In "Display Name" enter "Display challenges", set "Response Packet Type" to "Access Challenge". In "Attribute criteria" set "Radius Attribute" to "Reply-Message(18) with a "Value" of "*". In "Then take action..." select "show Generic Login page".