HID Juniper and 4TRESS AS User Manual

ActivIdentity® 4TRESS™ FT2011
Web Tokens and Juniper
RADIUS Channel Integration Handbook
Document Version 2.0 | Released | May 1, 2012
®
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
P 2
External Use | May 1, 2012 | © 2012 ActivIdentity

Table of Contents

List of Figures ............................................................................................................................................................. 3
1.0 Introduction ....................................................................................................................................................... 4
1.1 Scope of Document .................................................................................................................................... 4
1.2 Prerequisites .............................................................................................................................................. 4
2.0 Juniper Secure Access Configuration ............................................................................................................... 5
2.1 Procedure 1: Create New LDAP Server Instance ...................................................................................... 5
2.2 Procedure 2: Create New RADIUS Authentication Server ........................................................................ 7
2.3 Procedure 3: Define Juniper User Role(s) ................................................................................................. 9
2.4 Procedure 4: Define Juniper Authentication Realm ................................................................................... 9
2.5 Procedure 5: Configure New Juniper Sign-In Page ................................................................................. 12
2.6 Procedure 6: Configure Juniper Sign-In Policies ..................................................................................... 14
3.0 ActivIdentity 4TRESS AS Configuration: Sequence of Procedures ............................................................... 15
3.1 Configure RADIUS Channel ..................................................................................................................... 15
3.2 Managing User Repositories: An Overview ............................................................................................. 18
3.2.1 Create User Repository ................................................................................................................... 18
3.3 Configure Administration Groups, User Types, User Repositories, and Authentication Policies ............ 20
3.4 Create and Activate Web Soft Token (Optionally without PIN) ................................................................ 21
3.5 Modify Soft Token Activation Portal to Use Web Tokens without PIN’s (Optional) ................................. 23
3.6 Activate LDAP Authentication on the Soft Token Portal .......................................................................... 25
4.0 Sample Authentication Using Web Soft Token Authentication ....................................................................... 26
4.1 Prerequisite: Activate Web Soft Token .................................................................................................... 26
4.2 Scenario 1: Sample Authentication with Web Soft Token Launched in the Sign-In Page ....................... 28
4.3 Scenario 2: Sample Authentication with Hidden Web Soft Token without PIN ........................................ 29
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
P 3
External Use | May 1, 2012 | © 2012 ActivIdentity

List of Figures

FIGURE 1: Sample Juniper Sign-In Page ............................................................................................................ 12
FIGURE 3: Illustration of User Authentication Web Soft Token Launched in Sign-In Page (Requires PIN) ....... 28
FIGURE 4: Illustration of User Authentication, Hidden Web Soft Token (Does Not Require PIN) ...................... 29
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
P 4
External Use | May 1, 2012 | © 2012 ActivIdentity
Note: Using Juniper double authentication (an LDAP password plus a one-time password) is optional.

1.0 Introduction

The Juniper® Networks SA Series SSL VPN Appliances enable remote and mobile employees, customers, and partners to gain secure access to corporate Virtual Private Network resources and applications. Providing secure access via a VPN over existing Internet connections requires strong, two-factor authentication to protect resources. The ActivIdentity solutions that work with Juniper Networks incorporate SSL VPN solutions with versatile, strong authentication that is flexible, scalable, and simple to manage. ActivIdentity offers two solutions:
ActivIdentity® 4TRESS™ AAA Server for Remote Access—Addresses the security risks associated with a mobile workforce remotely accessing systems and data.
ActivIdentity 4TRESS™ Authentication Server (AS)—Offers support for multiple authentication methods that are useful for diverse audiences across a variety of service channels (SAML, Radius, etc.), including user name and password, mobile and PC soft tokens, one-time passwords, and transparent Web soft tokens.

1.1 Scope of Document

This document explains how to set up ActivIdentity 4TRESS FT2011 Web token authentication with the Juniper Networks Secure Access (SA) Series of appliances via a RADIUS channel. Use this handbook to enable authentication via a Web soft token for use with an SSL-protected Juniper VPN.

1.2 Prerequisites

ActivIdentity 4TRESS Authentication Server FT2011.
Juniper SA version 7.1.x installed and configured.
The Web soft token is configured to work with or without a PIN.
Users have static LDAP passwords for access to the Soft Token Portal to enroll web tokens.
The Juniper login page has been customized.
The ability to manage double authentication (LDAP, RADIUS) sequentially from the same sign-in
page on the Juniper network.
You can configure the sign-in page so that users do not have to use static LDAP passwords.
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
P 5
External Use | May 1, 2012 | © 2012 ActivIdentity

2.0 Juniper Secure Access Configuration

This chapter describes how to manage Juniper Secure Access. When a user signs into a Juniper SA Series appliance, the user specifies an authentication realm, which is associated with a specific authentication server. The Juniper SA Series appliance forwards the user’s credentials to this authentication server to verify the user’s identity.
You will create two authentication servers:
An LDAP Server to validate network passwords (optional), and
An ActivIdentity 4TRESS AS RADIUS Server to validate the user’s one-time password generated by
a Web token.

2.1 Procedure 1: Create New LDAP Server Instance

To define the LDAP Server instance, perform the following steps (this will create a new LDAP server instance on the SA Series SSL VPN appliance).
Getting Started
1. In the Admin console, expand the Authentication menu, and then click Auth. Servers.
2. From the New drop-down list, select LDAP Server, and then click New Server.
The following dialog is displayed.
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
P 6
External Use | May 1, 2012 | © 2012 ActivIdentity
Name—Specify a name to identify the server instance.
LDAP Server—Specify the name or IP address of the LDAP server that the SA Series SSL
VPN Appliance uses to validate your users.
LDAP Port—Specify the port on which the LDAP server listens.
Backup servers and ports—OPTIONAL—Specify parameters for backup LDAP servers.
LDAP Server Type—Specify the type of LDAP server against which you want to authenticate
users.
Connection, Connection Timeout, Search Timeout—Accept the defaults.
3. Click Test Connection to verify the connection between the SA Series SSL VPN appliance and the specified LDAP server(s).
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
P 7
External Use | May 1, 2012 | © 2012 ActivIdentity
4. Select the Authentication required to search LDAP option, and then enter the appropriate Admin DN and Password.
5. In the Finding user entries section, specify a Base DN from which to begin searching for user entries, and make sure that the Filter is correct (for example: samaccountname=<USER>).
6. At the bottom of the dialog, click Save Changes (not illustrated).

2.2 Procedure 2: Create New RADIUS Authentication Server

When using an external RADIUS server to authenticate Juniper SA users, you must configure the server to recognize the Juniper SA as a client and specify a shared secret for the RADIUS server to use to authenticate the client request. To configure a connection to the RADIUS server on an SA Series SSL VPN appliance, perform the following steps.
Getting Started
1. In the Admin console, expand the Authentication menu, and then click Auth. Servers.
2. From the New drop-down list, select Radius Server, and then click New Server.
The following dialog is displayed.
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
P 8
External Use | May 1, 2012 | © 2012 ActivIdentity
3. On the Settings tab, enter the following attributes.
Name—Specify a name to identify the server instance.
NAS-Identifier—Optional.
Radius Server—Specify the name or IP address.
Authentication Port—Enter the authentication port value for the RADIUS server. Typically,
this port is 1812.
Shared Secret—Enter a string. You will also enter this string when configuring the RADIUS server to recognize the SA Series SSL VPN appliance as a client.
Accounting Port—Accept the default,1813.
Timeout—Accept the default, 30 seconds.
Retries—Accept the default, 0 seconds.
4. Click Save.
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
P 9
External Use | May 1, 2012 | © 2012 ActivIdentity

2.3 Procedure 3: Define Juniper User Role(s)

A user role is an entity that defines user session parameters, personalization settings, and enabled access features.
1. From the Admin console, expand the Users menu, point to User Roles, and then click New User Role.
2. Configure the new user role according to your requirements.

2.4 Procedure 4: Define Juniper Authentication Realm

An authentication realm specifies the conditions that users must meet in order to sign into the SA Series appliance. A realm consists of a grouping of authentication resources.
1. From the Admin console, expand the Users menu, point to User Realms, and then click New User Realm.
Loading...
+ 21 hidden pages