List of Figures ............................................................................................................................................................. 3
Note: Using Juniper double authentication (an LDAP password plus a one-time password) is optional.
1.0 Introduction
The Juniper® Networks SA Series SSL VPN Appliances enable remote and mobile employees, customers, and
partners to gain secure access to corporate Virtual Private Network resources and applications. Providing secure
access via a VPN over existing Internet connections requires strong, two-factor authentication to protect
resources. The ActivIdentity solutions that work with Juniper Networks incorporate SSL VPN solutions with
versatile, strong authentication that is flexible, scalable, and simple to manage. ActivIdentity offers two solutions:
•ActivIdentity® 4TRESS™ AAA Server for Remote Access—Addresses the security risks associated
with a mobile workforce remotely accessing systems and data.
•ActivIdentity 4TRESS™ Authentication Server (AS)—Offers support for multiple authentication
methods that are useful for diverse audiences across a variety of service channels (SAML, Radius,
etc.), including user name and password, mobile and PC soft tokens, one-time passwords, and
transparent Web soft tokens.
1.1 Scope of Document
This document explains how to set up ActivIdentity 4TRESS FT2011 Web token authentication with the Juniper
Networks Secure Access (SA) Series of appliances via a RADIUS channel. Use this handbook to enable
authentication via a Web soft token for use with an SSL-protected Juniper VPN.
1.2 Prerequisites
• ActivIdentity 4TRESS Authentication Server FT2011.
• Juniper SA version 7.1.x installed and configured.
• The Web soft token is configured to work with or without a PIN.
• Users have static LDAP passwords for access to the Soft Token Portal to enroll web tokens.
• The Juniper login page has been customized.
• The ability to manage double authentication (LDAP, RADIUS) sequentially from the same sign-in
page on the Juniper network.
You can configure the sign-in page so that users do not have to use static LDAP passwords.
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
This chapter describes how to manage Juniper Secure Access. When a user signs into a Juniper SA Series
appliance, the user specifies an authentication realm, which is associated with a specific authentication server.
The Juniper SA Series appliance forwards the user’s credentials to this authentication server to verify the user’s
identity.
You will create two authentication servers:
• An LDAP Server to validate network passwords (optional), and
• An ActivIdentity 4TRESS AS RADIUS Server to validate the user’s one-time password generated by
a Web token.
2.1 Procedure 1: Create New LDAP Server Instance
To define the LDAP Server instance, perform the following steps (this will create a new LDAP server instance on
the SA Series SSL VPN appliance).
Getting Started
1. In the Admin
console, expand the
Authentication
menu, and then
click Auth. Servers.
2. From the New drop-down list, select LDAP
Server, and then click New Server.
The following dialog is displayed.
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
4. Select the Authentication required to search LDAP option, and then enter the appropriate Admin DN and Password.
5. In the Finding user entries section, specify a Base DN from which to begin searching for user entries, and
make sure that the Filter is correct (for example: samaccountname=<USER>).
6. At the bottom of the dialog, click Save Changes (not illustrated).
2.2 Procedure 2: Create New RADIUS Authentication Server
When using an external RADIUS server to authenticate Juniper SA users, you must configure the server to
recognize the Juniper SA as a client and specify a shared secret for the RADIUS server to use to authenticate the
client request. To configure a connection to the RADIUS server on an SA Series SSL VPN appliance, perform the
following steps.
Getting Started
1. In the Admin
console, expand the
Authentication
menu, and then
click Auth. Servers.
2. From the New drop-down list, select Radius Server,
and then click New Server.
The following dialog is displayed.
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
3. On the Settings tab, enter the following attributes.
• Name—Specify a name to identify the server instance.
• NAS-Identifier—Optional.
• Radius Server—Specify the name or IP address.
• Authentication Port—Enter the authentication port value for the RADIUS server. Typically,
this port is 1812.
•Shared Secret—Enter a string. You will also enter this string when configuring the RADIUS
server to recognize the SA Series SSL VPN appliance as a client.
• Accounting Port—Accept the default,1813.
• Timeout—Accept the default, 30 seconds.
• Retries—Accept the default, 0 seconds.
4. Click Save.
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
An authentication realm specifies the conditions that users must meet in order to sign into the SA Series
appliance. A realm consists of a grouping of authentication resources.
1. From the Admin console, expand the Users menu, point to User Realms, and then click New User Realm.
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
•Authentication #2—Select 4TRESS AS from the drop-down list (the name of the
authentication server might be different).
•By default, Secure Access submits the <username> session variable that holds the same
username used to sign in to the primary authentication server. To automatically submit a
username to the secondary server, select the option, predefined as.
•If you want to prompt the user to manually submit a password to the secondary server
during the Secure Access sign-in process, then select the option, Password is specified by user on sign-in page.
•Select the option, End session if authentication against this server fails.
3. Click Save Changes (not illustrated).
4. To configure one or more role mapping rules (based on the role defined previously), select the Role Mapping
tab.
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
2.5 Procedure 5: Configure New Juniper Sign-In Page
PIN usage is dependent on the custom page deployed. It is possible to hide the Web token, and in this case, it’s
necessary to apply a Web token without a PIN. The PIN would be replaced by the user’s LDAP password.
Please call your ActivIdentity technical contact to obtain a sample page and to discuss possible combinations of
PIN usage.
FIGURE 1: Sample Juniper Sign-In Page
After you obtain a custom file, you can upload it directly using the Sign-in Pages tab (illustrated next).
1. From the Admin console, expand the Authentication menu, point to Signing In, and then click Sign-in Pages.
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
User sign-in policies also determine the realm(s) that users can access.
1. To create or configure user sign-in policies, in the Admin console, expand the Authentication menu, point to Signing In, and then click Sign-in Policies.
2. To create a new sign-in policy, click New URL.
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
3. In the Sign-in URL field that is displayed, enter the URL that you want to associate with the policy. Use the
format <host>/<path>, where <host> is the host name of the Secure Access device and <path> is any
string you want users to enter.
4. For Sign-in Page, select the sign-in page that you want to associate with the policy.
5. For Authentication realm, specify which realm(s) map to the policy, and how users should pick from
amongst realms.
6. Click Save Changes.
3.0 ActivIdentity 4TRESS AS Configuration: Sequence of Procedures
This chapter describes the procedures required to configure ActivIdentity 4TRESS Authentication Appliance
support for an RFE component installed on an appliance.
You will perform these steps using the ActivIdentity 4TRESS Management Console. Be sure you have the
ActivIdentity 4TRESS Authentication Appliance Administration Guide: Management Console technical publication
on hand. This chapter does not provide all the details.
3.1 Configure RADIUS Channel
A RADIUS channel for the RFE deployment defines a group of access controllers and specifies how to handle
authentication requests.
Using a policy configured for the channel, you will filter the requests according to the IP address or hostname of
the access controllers.
1. Launch the ActivIdentity 4TRESS Management Console.
2. When prompted, enter your User name and Password, and then click Submit.
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
Important: To configure the RADIUS channel policy, you can either create a new channel using the
3. Select the Configuration tab, and then in the pane to the left under Policies, click Channels.
Add or Copy options, or edit an existing channel by clicking the channel name in the list displayed to
the right of the page. ActivIdentity recommends that you use the Remote Access channel—this is the
pre-defined RADIUS channel.
4. In the list displayed to the right when you click Channels, click the VPN Remote Access channel.
5. In the VPN Remote Access Details section displayed, accept the default for Description, or change it. Make
sure the Name, Type, and Code are correct.
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
Important: You can select either a host name—and then enter name of the machine hosting the
Important: Make sure that each access controller is configured with the shared secret you specified
6. Click Channel Policy to expand the section and display the configuration options.
7. Enter and confirm the Shared secret.
The Shared secret encrypts the information exchanges between the appliance(s) and the access controllers.
The secret must be the same for each controller configured in the channel policy. The secret must not exceed
40 characters. By default, the secret for a pre-defined gate is ActivIdentity.
8. Click Add.
The Add Authorized IP addresses or host names list is displayed. Use these settings to configure the
access controllers that are authorized to use the gate for authentication.
access controller—or you can enter an IP address, and then enter an address and range of the
access controller. ActivIdentity recommends that you use an IP address rather than a host name. If the
DNS cannot translate the host name, then the RFE will not restart.
9. For an IP address, enter the valid network range (for example, 192.168.0.0/24).
10. Click Save.
The access controller is displayed in the Channel page. Now, it is authorized to use the gate for
authentication requests.
above. If necessary, repeat the steps to authorize access for additional controllers.
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
Reminder: Have the ActivIdentity 4TRESS Authentication Appliance Administration Guide:
3.2 Managing User Repositories: An Overview
The “User Repositories” function of the ActivIdentity 4TRESS Management Console defines parameters for using
LDAP servers as the source of user data for the appliance system. By configuring the appliance to communicate
with your LDAP directory server, you enable access to user data for authentication purposes.
Management Console technical documentation on hand. This document only presents summary
steps.
3.2.1 Create User Repository
1. Logged into the ActivIdentity 4TRESS Management Console, select the Configuration tab.
2. In the pane to the left, under Environment, click User Repositories.
3. In the page displayed to the right, click Add.
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
5. Adapter—Select the adapter from the drop-down list that corresponds to your directory type (either Novell®
eDirectory or Microsoft® Active Directory).
6. Host—Enter the IP address or hostname of the server where your LDAP directory resides.
7. Port—Enter the Port (the LDAP directory server’s listening port).
8. In the Configure connection login credentials section of the page, enter the user credentials that the
appliance will use to access the LDAP database. Then enter and confirm the user’s Password. You MUST
indicate the full User DN.
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
10. Select the Enabled options for the appliance attributes to be mapped to the LDAP attributes.
11. Click Save. A success message appears.
3.3 Configure Administration Groups, User Types, User Repositories, and Authentication
Policies
For details, refer to the ActivIdentity 4TRESS Authentication Appliance Administration Guide: Management
Console technical documentation. This section summarizes the remaining procedures to perform before Web Soft
Tokens can be activated.
1. Use the ActivIdentity 4TRESS Management Console to create and update administration groups within user
types. Then you can add users to the administration groups.
User types define categories of users. A hierarchy of administration groups exists for each user type.
For each user type, you can define:
• User repositories relating to the user type,
• Authentication policies accessible to users of this type, and
• User attributes for users of this type.
There are default user types. Installing the ActivIdentity 4TRESS Appliance Server automatically sets up a
number of user types. For each user type, there are pre-defined system users. Collectively, these sample
users have all the required privileges to administer the system. You can use the base data set as provided, or
modify it to meet your specific requirements.
2. Map the user repository to a user type.
3. Assign an authentication policy to a user type.
4. Map the user repository to an administration group.
Administration groups provide a way to organize (partition) users for administrative purposes, as well as a
way to assign permissions to users through membership of administration groups.
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
#This value must be equal to the PIN value {0,1} contained in the "Soft Token
Engine init string" entry for the
#Device Adapter defined in the Device Types corresponding of the key
application.config.4tress.activation.token.web.device.type
4. Click Activate. If soft token configuration has been configured to use a Web soft token with a PIN, then you
will be prompted to enter a PIN, also.
When the proper login credentials have been accepted, the following message is displayed.
Now, the Web token can be used to access Juniper realms.
The user opens a browser and enters the URL the administrator has defined in the Juniper Sign-in policy. The
user will be redirected to the 4TRESS AS authentication portal, and then authenticates as a 4TRESS user. When
authenticated, the user will be redirected to the Juniper pages.
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
4.2 Scenario 1: Sample Authentication with Web Soft Token Launched in the Sign-In Page
Prerequisites: The Sign-In page must have been customized for users to be able to launch Web tokens in an
HTML page. If you have not already done so, then contact your ActivIdentity technical representative to obtain an
appropriate file. Also, you must have activated the token (refer to the previous section in this document).
You can use a Web token with a PIN or without a PIN. You can use an LDAP password to replace the PIN or to
complement it (depending on Juniper configuration).
FIGURE 2: Illustration of User Authentication Web Soft Token Launched in Sign-In Page (Requires PIN)
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
4.3 Scenario 2: Sample Authentication with Hidden Web Soft Token without PIN
Prerequisites: The Sign-In page must have been customized to hide the Web Token in the HTML page and to
have the OTP automatically copied and pasted into a hidden field. If you have not already done so, then contact
your ActivIdentity technical representative to obtain an appropriate file. Also, you must have activated the token
(refer to the previous section in this document).
You can use a Web token with or without a PIN, but you must use an LDAP password to replace the PIN.
FIGURE 3: Illustration of User Authentication, Hidden Web Soft Token (Does Not Require PIN)
ActivIdentity 4TRESS FT2011 Web Tokens and Juniper Secure Access | RADIUS Channel Integration Handbook
Americas +1 510.574.0100
US Federal +1 571.522.1000
Europe +33 (0) 1.42.04.84.00
Asia Pacific +61 (0) 2.6208.4888
Email info@actividentity.com
Web www.actividentity.com
ActivIdentity, the ActivIdentity (logo), and/or other ActivIdentity products or marks referenced
herein are either registered trademarks or trademarks of HID Global Corporation in the United
States and/or other countries. The absence of a mark, product, service name or logo from this
list does not constitute a waiver of the trademark or other intellectual property rights concerning
that name or logo. Juniper Networks and the Juniper Networks logo are registered trademarks
of Juniper Networks, Inc. in the United States and other countries.The names of other thirdparty companies, trademarks, trade names, service marks, images and/or products that
happened to be mentioned herein are trademarks of their respective owners. Any rights not
expressly granted herein are reserved.
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.