ActivIdentity® 4TRESS™ AAA
Web Tokens
and Juniper
Document Version 2.0 | Released | May 1, 2012
®
Secure Access
Integration Handbook
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 2
External Use | May 1, 2012 | © 2012 ActivIdentity
Table of Contents
List of Figures ............................................................................................................................................................. 3
1.0 Introduction ....................................................................................................................................................... 4
1.1 Scope of Document .................................................................................................................................... 4
1.2 Prerequisites .............................................................................................................................................. 4
2.0 Juniper Secure Access Configuration ............................................................................................................... 5
2.1 Procedure 1: Create New LDAP Server Instance ...................................................................................... 5
2.2 Procedure 2: Create New RADIUS Authentication Server ........................................................................ 7
2.3 Procedure 3: Define Juniper User Role(s) ................................................................................................. 9
2.4 Procedure 4: Define Juniper Authentication Realm ................................................................................... 9
2.5 Procedure 5: Configure New Juniper Sign-In Page ................................................................................. 12
2.6 Procedure 6: Juniper Sign-in Policies ...................................................................................................... 14
3.0 ActivIdentity 4TRESS AAA Configuration ....................................................................................................... 16
3.1 Procedure 1: Configure Juniper Gate ...................................................................................................... 16
3.2 Procedure 2: Assigning Group(s) to the Juniper Gate ............................................................................. 18
4.0 Configure for Soft Token Activation ................................................................................................................ 20
4.1 Procedure 1: Enable Soft Token Activation ............................................................................................. 20
4.2 Procedure 2: Configure Soft Token Activation Portal .............................................................................. 21
5.0 Sample Authentication Using Web Soft Token Authentication ....................................................................... 24
5.1 Prerequisite: User Enrolls Web Token and Computer ............................................................................. 24
5.2 Scenario 1: Authenticating with Web Soft Token Launched in the Sign-In Page .................................... 26
5.3 Scenario 2: Authentication with Hidden Web Soft Token Without PIN .................................................... 27
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 3
External Use | May 1, 2012 | © 2012 ActivIdentity
List of Figures
FIGURE 1: Sample Juniper Sign-In Page ............................................................................................................ 12
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 4
External Use | May 1, 2012 | © 2012 ActivIdentity
Note: Using Juniper double authentication (an LDAP password plus a one-time password) is optional.
1.0 Introduction
The Juniper® Networks SA Series SSL VPN Appliances enable remote and mobile employees, customers, and
partners to gain secure access to corporate Virtual Private Network resources and applications. Providing secure
access via a VPN over existing Internet connections requires strong, two-factor authentication to protect
resources. The ActivIdentity solutions that work with Juniper Networks incorporate SSL VPN solutions with
versatile, strong authentication that is flexible, scalable, and simple to manage. ActivIdentity offers two solutions:
• ActivIdentity® 4TRESS™ AAA Server for Remote Access—Addresses the security risks associated
with a mobile workforce remotely accessing systems and data.
• ActivIdentity 4TRESS™ Authentication Server (AS)—Offers support for multiple authentication
methods that are useful for diverse audiences across a variety of service channels (SAML, Radius,
etc.), including user name and password, mobile and PC soft tokens, one-time passwords, and
transparent Web soft tokens.
1.1 Scope of Document
This document explains how to set up ActivIdentity 4TRESS AAA Web token authentication with the Juniper
Networks Secure Access (SA) Series of appliances. Use this handbook to enable authentication via a Web soft
token for use with an SSL-protected Juniper VPN.
1.2 Prerequisites
• The ActivIdentity 4TRESS AAA Server is up-to-date (v6.7) with LDAP users and groups already
configured.
• Juniper SA version 7.1.x installed and configured.
• The Web soft token is configured to work with or without a PIN.
• Users have static LDAP passwords for access to the Self Help Desk to enroll web tokens.
• The Juniper login page has been customized (illustrated in this handbook).
• The ability to manage double authentication (LDAP, RADIUS) sequentially from the same sign-in
page on the Juniper network.
You can configure the sign-in page so that users do not have to use static LDAP passwords.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 5
External Use | May 1, 2012 | © 2012 ActivIdentity
2.0 Juniper Secure Access Configuration
This chapter describes how to manage Juniper Secure Access. When a user signs into a Juniper SA Series
appliance, the user specifies an authentication realm, which is associated with a specific authentication server.
The Juniper SA Series appliance forwards the user’s credentials to this authentication server to verify the user’s
identity.
You will create two authentication servers:
• An LDAP Server to validate network passwords, and
• An ActivIdentity 4TRESS AAA RADIUS Server to validate the user’s one time password generated by
a Web token.
2.1 Procedure 1: Create New LDAP Server Instance
To define the LDAP Server instance, perform the following steps (this will create a new LDAP server instance on
the SA Series SSL VPN appliance).
Getting Started
1. In the Admin
console, expand the
Authentication
menu, and then
click Auth. Servers.
2. From the New drop-down list, select LDAP
Server, and then click New Server.
The following dialog is displayed.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 6
External Use | May 1, 2012 | © 2012 ActivIdentity
• Name—Specify a name to identify the server instance.
• LDAP Server—Specify the name or IP address of the LDAP server that the SA Series SSL
VPN Appliance uses to validate your users.
• LDAP Port—Specify the port on which the LDAP server listens.
• Backup servers and ports—OPTIONAL—Specify parameters for backup LDAP servers.
• LDAP Server Type—Specify the type of LDAP server against which you want to authenticate
users.
• Connection, Connection Timeout, Search Timeout—Accept the defaults.
3. Click Test Connection to verify the connection between the SA Series SSL VPN appliance and the specified
LDAP server(s).
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 7
External Use | May 1, 2012 | © 2012 ActivIdentity
4. Select the option, Authentication required to search LDAP and enter the appropriate Admin DN and
Password.
5. In the Finding user entries section, specify a Base DN from which to begin searching for user entries, and
make sure that the Filter is correct (for example: samaccountname=<USER>).
6. At the bottom of the dialog, click Save Changes (not illustrated).
2.2 Procedure 2: Create New RADIUS Authentication Server
When using an external RADIUS server to authenticate Juniper SA users, you must configure the server to
recognize the Juniper SA as a client and specify a shared secret for the RADIUS server to use to authenticate the
client request. To configure a connection to the RADIUS server on an SA Series SSL VPN appliance, perform the
following steps.
Getting Started
1. In the Admin
console, expand the
Authentication
menu, and then
click Auth. Servers.
2. From the New drop-down list, select Radius Server,
and then click New Server.
The following dialog is displayed.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 8
External Use | May 1, 2012 | © 2012 ActivIdentity
3. On the Settings tab, enter the following attributes.
• Name—Specify a name to identify the server instance.
• NAS-Identifier—Optional.
• Radius Server—Specify the name or IP address.
• Authentication Port—Enter the authentication port value for the RADIUS server. Typically,
this port is 1812.
• Shared Secret—Enter a string. You will also enter this string when configuring the RADIUS
server to recognize the SA Series SSL VPN appliance as a client.
• Accounting Port—Accept the default,1813.
• Timeout—Accept the default, 30 seconds.
• Retries—Accept the default, 0 seconds.
4. Click Save.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 9
External Use | May 1, 2012 | © 2012 ActivIdentity
2.3 Procedure 3: Define Juniper User Role(s)
A user role is an entity that defines user session parameters, personalization settings, and enabled access
features.
1. From the Admin console, expand the Users menu, point to User Roles, and then click New User Role.
2. Configure the new user role according to your requirements.
2.4 Procedure 4: Define Juniper Authentication Realm
An authentication realm specifies the conditions that users must meet in order to sign into the SA Series
appliance. A realm consists of a grouping of authentication resources.
1. From the Admin console, expand the Users menu, point to User Realms, and then click New User Realm.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 10
External Use | May 1, 2012 | © 2012 ActivIdentity
2. On the General tab, enter the following attributes, and then select the following options.
• Name—Enter a name to label this realm.
• Description—Enter a meaningful description.
• In the Servers section:
• Select an option from the Authentication drop-down list to specify an authentication
server to use for authenticating users who sign in to this realm (for example, the LDAP
server).
• Accept the default for Directory/Attribute (Same as above).
• Accounting—Accept the default, None.
• To submit secondary user credentials to enable two-factor authentication to access the
Secure Access device, select the option, Additional authentication server.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 11
External Use | May 1, 2012 | © 2012 ActivIdentity
• Authentication #2—Select 4TRESS AAA from the drop-down list (the name of the
authentication server might be different).
• By default, Secure Access submits the <username> session variable that holds the same
username used to sign in to the primary authentication server. To automatically submit a
username to the secondary server, select the option, predefined as.
• If you want to prompt the user to manually submit a password to the secondary server
during the Secure Access sign-in process, then select the option, Password is specified
by user on sign-in page.
• Select the option, End session if authentication against this server fails.
3. Click Save Changes (not illustrated).
4. To configure one or more role mapping rules (based on the role defined previously), select the Role Mapping
tab.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 12
External Use | May 1, 2012 | © 2012 ActivIdentity
2.5 Procedure 5: Configure New Juniper Sign-In Page
PIN usage is dependent on the custom page deployed. It is possible to hide the Web token, and in this case, it’s
necessary to apply a Web token without PIN. The PIN would be replaced by the user’s LDAP password.
Please call your ActivIdentity technical contact to obtain a sample page and to discuss possible combinations of
PIN usage:
• Username plus LDAP Password plus visible Web token plus PIN plus OTP generated by the Web
token.
• Username plus LDAP Password plus visible Web token without PIN plus OTP generated by the Web
token.
• Username plus LDAP Password plus hidden Web token without PIN plus OTP generated by the Web
token hidden in the page.
• Username plus visible Web token plus PIN plus OTP generated by the Web token.
FIGURE 1: Sample Juniper Sign-In Page
After you obtain a custom file, you can upload it directly using the Sign-in Pages tab (illustrated next).
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 13
External Use | May 1, 2012 | © 2012 ActivIdentity
1. From the Admin console, expand the Authentication menu, point to Signing In, and then click Sign-in
Pages.
2. Click Upload Custom Pages.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 14
External Use | May 1, 2012 | © 2012 ActivIdentity
3. Enter an appropriate Name, select the Page Type option, Access, and then click the Browse button.
4. Locate the custom page file and load it.
5. Click Save Changes.
2.6 Procedure 6: Juniper Sign-in Policies
User sign-in policies also determine the realm(s) that users can access.
1. To create or configure user sign-in policies, in the Admin console, expand the Authentication menu, point to
Signing In, and then click Sign-in Policies.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 15
External Use | May 1, 2012 | © 2012 ActivIdentity
2. To create a new sign-in policy, click New URL.
3. In the Sign-in URL field that is displayed, enter the URL that you want to associate with the policy. Use the
format <host>/<path>, where <host> is the host name of the Secure Access device, and <path> is any
string you want users to enter.
4. For Sign-in Page, select the sign-in page that you want to associate with the policy.
5. For Authentication realm, specify which realm(s) map to the policy, and how users should pick from
amongst realms.
6. Click Save Changes.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 16
External Use | May 1, 2012 | © 2012 ActivIdentity
3.0 ActivIdentity 4TRESS AAA Configuration
This chapter describes how to configure the ActivIdentity 4TRESS AAA Authentication Server.
3.1 Procedure 1: Configure Juniper Gate
A gate for the 4TRESS AAA Server is a group of Network Access Servers (NAS) that is used to simplify
administration. For configuration details, refer to ActivIdentity 4TRESS AAA Server technical documentation.
1. In the tree in the left pane of the Administration Console, expand the Servers line.
2. Right-click on the server to which you want to add a gate, and click New Gate.
3. Enter a Gate name (can be any string).
4. Select the option, RADIUS, corresponding to the protocol your Juniper uses.
5. Use the Authorized IP addresses and host names section to specify filter(s) for the gate.
6. Click Add, and then click OK.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 17
External Use | May 1, 2012 | © 2012 ActivIdentity
7. The 4TRESS AAA Server uses the RADIUS shared secret to encrypt data between Juniper and the 4TRESS
AAA authentication server. Click Shared Secret, and then modify the appropropriate shared secret for your
system (see section 2.2 Procedure 2: Create New RADIUS Authentication Server on page 7).
8. Click OK.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 18
External Use | May 1, 2012 | © 2012 ActivIdentity
3.2 Procedure 2: Assigning Group(s) to the Juniper Gate
Remember that you must have user groups created and the corresponding LDAP configured. For details, refer to
the ActivIdentity 4TRESS AAA Administration Guide.
1. To assign groups to the Juniper Gate, in the tree in the left pane, select the group that you want to assign to
the gate.
2. Use the Group / Gate Assignments section of the page to specify gate(s) for the group’s users to utilize in
order to access a protected resource.
3. Click Add.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 19
External Use | May 1, 2012 | © 2012 ActivIdentity
4. Select the Gate, the AZ profile. and the AC profile.
5. Click OK.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 20
External Use | May 1, 2012 | © 2012 ActivIdentity
4.0 Configure for Soft Token Activation
4.1 Procedure 1: Enable Soft Token Activation
1. Launch the ActivIdentity 4TRESS AAA Server Administration Console and log in.
2. In the pane to the left, select Groups -> All Users.
3. Select the option, Allow Soft Token activation option (for the corresponding group).
4. Click Save (not illustrated), and then export the changes to the AAA Server(s).
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 21
External Use | May 1, 2012 | © 2012 ActivIdentity
4.2 Procedure 2: Configure Soft Token Activation Portal
1. Launch the Web Help Desk Portal.
2. Select the Login type option, static.
3. Enter your Login and Password, and then click Login.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 22
External Use | May 1, 2012 | © 2012 ActivIdentity
4. Select the Configuration tab.
• Initial PIN—Set the PIN.
• In the User Search method policy section, select By Groups or queries.
• In the Device Management section, set the following options and parameters.
• To activate the device assignment and unassignment functions of the Web Help Desk,
select the option, Enable device assignment functions.
• Select the option, Show initial PIN….
• To assign the same token to more than one user, select the option, Allow assign
already assigned tokens.
• To assign soft tokens, enter the Engine Soft Token init String for each type of soft
token required.
• Enter a string in the Engine Web Token init String field.
Note: For more information about the init strings, refer to the ActivIdentity 4TRESS
AAA Server Soft Token Solution Guide.
• For Max number of soft tokens per user, set the maximum number of soft tokens that
each user can be assigned.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 23
External Use | May 1, 2012 | © 2012 ActivIdentity
If you do not want to use PIN’s, then apply the following:
PIN = 1 (Enforced). Soft Token application PIN enforcement policy.
PIN = 0 (No PIN)
Note: Depending on the activation code, a soft token forces the PIN.
For details on PIN usage, see section 2.5 Procedure 5: Configure New Juniper Sign-In Page on page
12.
It’s important to select an authentication policy (LDAP password at a minimum). By default, none are selected.
5. In the Selfdesk portal self binding policy section, select the following options:
• To activate device self assignment functions, select Enable initial self binding.
• To activate additional device self assignment functions, select Enable self binding on
additional device. For this setting to work, you must make sure that the LDAP attribute
mapped to the device serial numbers is capable of storing multiple values.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 24
External Use | May 1, 2012 | © 2012 ActivIdentity
5.0 Sample Authentication Using Web Soft Token Authentication
5.1 Prerequisite: User Enrolls Web Token and Computer
1. The user launches the Self Help Desk to enroll a Web token and computer.
2. When prompted, the user selects the LDAP password option, and then enters a username.
3. The user clicks Activate an additional device.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 25
External Use | May 1, 2012 | © 2012 ActivIdentity
4. The user clicks Web Token.
5. The user enters and confirms a PIN and enters a Description (the use has to enter the PIN only if the system
is configured to ask for it.) A confirmation is displayed.
Now the user can use the Web token to access a Juniper Realms.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 26
External Use | May 1, 2012 | © 2012 ActivIdentity
5.2 Scenario 1: Authenticating with Web Soft Token Launched in the Sign-In Page
Notes about this scenario:
• You must have customized the Sign-In Page to launch the Web token as an HTML page. To receive
a sample page, please contact your ActivIdentity technical representative.
• A user must have activated a Web soft token on his/her computer.
• You can use a Web token with a PIN or without a PIN.
• You can use an LDAP password to replace the PIN or to complement it (depending on Juniper
configuration).
For details on how authenticating with a Web soft token works, please refer to 4TRESS AAA documentation.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 27
External Use | May 1, 2012 | © 2012 ActivIdentity
5.3 Scenario 2: Authentication with Hidden Web Soft Token Without PIN
Notes about this scenario:
You must have customized the Sign-In page to hide the Web token in the HTML page and to automatically copy
and paste the one-time password in a hidden field in the HTML page. To receive a sample page, please contact
your ActivIdentity technical representative.
• A user must have activated a Web soft token on his/her computer.
• You can use a Web token without a PIN.
• You must use an LDAP password to replace the PIN.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 28
External Use | May 1, 2012 | © 2012 ActivIdentity
Legal Disclaimer
Americas +1 510.574.0100
US Federal +1 571.522.1000
Europe +33 (0) 1.42.04.84.00
Asia Pacific +61 (0) 2.6208.4888
Email info@actividentity.com
Web www.actividentity.com
ActivIdentity, the ActivIdentity (logo), and/or other ActivIdentity products or marks referenced
herein are either registered trademarks or trademarks of HID Global Corporation in the United
States and/or other countries. The absence of a mark, product, service name or logo from this
list does not constitute a waiver of the trademark or other intellectual property rights concerning
that name or logo. Juniper Networks and the Juniper Networks logo are registered trademarks
of Juniper Networks, Inc. in the United States and other countries.The names of other thirdparty companies, trademarks, trade names, service marks, images and/or products that
happened to be mentioned herein are trademarks of their respective owners. Any rights not
expressly granted herein are reserved.
Loading...