• No results found

Juniper Networks SSL VPN Implementation Guide

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Juniper Networks SSL VPN Implementation Guide"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

Copyright

Copyright © 2006, CRYPTOCard Corp. All Rights Reserved. No part of this publication may be

reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard Corp.

(2)

Juniper SSL VPN Overview

This documentation presents an overview and necessary steps to configure a Juniper SSL VPN for use with CRYPTO-MAS and CRYPTOCard tokens. The Juniper SSL VPN is used to create an encrypted tunnel between hosts. CRYPTO-MAS works in conjunction with the Juniper SSL VPN to replace static passwords with strong two-factor authentication that prevents the use of lost, stolen, shared, or easily guessed passwords when establishing a connection to gain access to protected resources.

With CRYPTO-MAS acting as the authentication server for a VPN enabled resource, an authenticated connection sequence would be as follows:

1. The administrator configures the Juniper SSL VPN to use RADIUS Authentication.

(3)

4. Once the PIN + One-time password is verified against the user’s token and it is valid, it will then send an access accepted. This is illustrated in Figure 2 below.

If the user does not exist, or the PIN + One-time password is incorrect it will send the user an access reject message.

(4)

Compatibility

For security reasons, and compatibility with CRYPTOCard Authentication, the version of the Juniper SSL VPN must be release 4.2 or higher.

Prerequisites

The following systems must be verified operational prior to configuring the VPN concentrator to use CRYPTOCard authentication:

1. Verify end users can authenticate through the Juniper SSL VPN with a static password before configuring the concentrator to use CRYPTOCard authentication.

2. Ensure an initialized CRYPTOCard token has been assigned to a CRYPTOCard user. The following CRYPTO-MAS server information is also required:

Primary CRYPTO-MAS RADIUS Server Fully Qualified Hostname or IP Address:

Secondary CRYPTO-MAS RADIUS Server Fully Qualified Hostname or IP Address (OPTIONAL):

CRYPTO-MAS RADIUS Authentication port number: CRYPTO-MAS RADIUS Accounting port number (OPTIONAL):

(5)

Configuring Juniper SSL VPN

In order for the SSL VPN to authenticate CRYPTOCard token users, RADIUS authentication must be enabled.

Adding a RADIUS Server

Choose Signing In > AAA Servers

From the dropdown box next to the New: heading, choose "Radius Server", and click on the "New Server..." button.

Fill in the information for the CRYPTO-MAS RADIUS server obtained from the prerequisites section in the New Radius Server page.

Fill in information for the Backup CRYPTO-MAS RADIUS Server, if one exists.

(6)

Under Users > Authentication > 1.Users > General

In this setup page set Authentication to the CRYPTO-MAS RADIUS Server.

In the Servers section of the General Tab, set Authentication to the CRYPTO-MAS RADIUS Server, and click on "Save Changes".

Mapping CRYPTOCard Users to Realms SSL VPN

Once the MAS Server has been added to the SSL VPN setup, you may configure the CRYPTO-Server to map the user to a realm on the IVE.

Under User -> Authentication, click local.

(7)

Choose the role to assign the user to.

Check off “Stop processing rules when this rule matches”, and click on “Save Changes”. CRYPTOCard must be notified of the Filter-Id name in order to map the user to the realm.

Connect using the SSL VPN client

Once the SSL VPN has been configured correctly with correct RADIUS server information, the end-users should be able to connect via browser to access network resources using their CRYPTOCard token.

• Enter the CRYPTOCard username

• Generate a One-Time-Password from the CRYPTOCard token

• Enter the PIN and One-Time-Password together in the password field, and click OK

(8)

Solution Overview

Summary

Product Name Juniper SSL VPN

Vendor Site http://www.juniper.net/ Supported Client Software Internet Explorer 6+

Mozilla Firefox 1.5+ Authentication Method RADIUS Authentication

Supported RADIUS Functionality for Juniper SSL VPN Connection

RADIUS Authentication Encryption PAP MSCHAPv2

Authentication Method One-time password Challenge-response Static Password

New PIN Mode User changeable Alphanumeric 4-8 digit PIN User changeable Numeric 4-8 digit PIN

Server changeable Alphanumeric 4-8 digit PIN Server changeable Numeric 4-8 digit PIN

Trademarks

CRYPTOCard, CRYPTO-Server, CRYPTO-Web, CRYPTO-Kit, CRYPTO-Logon, CRYPTO-VPN, CRYPTO-MAS are either registered trademarks or trademarks of CRYPTOCard Corp.

Microsoft Windows and Windows XP/2000/2003/NT are registered trademarks of Microsoft

References

Download now ( PDF - 8 Page - 250.03 KB )

Related documents

Cisco VPN Concentrator Implementation Guide

Once the RADIUS server has been added to the VPN concentrator setup, use the internal test mechanism to ensure the VPN concentrator can authenticate to it using a CRYPTOCard

IPSec or SSL VPN? Copyright 2004 Juniper Networks, Inc. 1

IPSec VPN vs SSL VPN Remote Office Business Partners, Customers, Contractors HQ Mobile Users Managed, Trusted Remote Network Security Fixed Type of Connection Remote, Branch

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

In order to authenticate using IDENTIKEY Federation Server we need a new SAML authentication server. • Server Name : fill in a meaningful name • SAML Version

Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

Verify that this account can successfully authenticate using a standard password before attempting to apply changes and test authentication using a token.. Ensure that the user

BlackShield ID PRO. Steel Belted RADIUS 6.x. Implementation Guide. Copyright 2008 to present CRYPTOCard Corporation. All Rights Reserved

o Ensure end users can authenticate through Steel Belted RADIUS with a static password before enabling the CRYPTOCard Authentication Method.. o BlackShield ID Pro server

Juniper SSL VPN Authentication QUICKStart Guide

This is section is specifically for adding a Filter-Id attribute to a Remote Access Policy within Windows 2003 Internet Authentication Service (IAS).. To add a new Network Policy

Strong Authentication for Juniper Networks

Verify that the “Test” user account can successfully authenticate with a static password, to the Juniper SSL VPN before attempting to apply changes and test authentication using a

Secure, Mobile Access to Corporate , Applications, and Intranet Resources

With the introduction of Juniper Networks IVE 6.2 software, hand-held mobile devices running Microsoft Windows Mobile 5.0 or later can be used with Juniper Networks SA Series SSL