How it Works
HID
Loading...
Juniper and AAA Server
User Manual
28 pgs1.9 Mb0
Table of contents
Loading...

HID Juniper and AAA Server User Manual

ActivIdentity® 4TRESS™ AAA
Web Tokens
Document Version 2.0 | Released | May 1, 2012
®
Secure Access
Integration Handbook
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 2
External Use | May 1, 2012 | © 2012 ActivIdentity

Table of Contents

List of Figures ............................................................................................................................................................. 3
1.0 Introduction ....................................................................................................................................................... 4
1.1 Scope of Document .................................................................................................................................... 4
1.2 Prerequisites .............................................................................................................................................. 4
2.0 Juniper Secure Access Configuration ............................................................................................................... 5
2.1 Procedure 1: Create New LDAP Server Instance ...................................................................................... 5
2.2 Procedure 2: Create New RADIUS Authentication Server ........................................................................ 7
2.3 Procedure 3: Define Juniper User Role(s) ................................................................................................. 9
2.4 Procedure 4: Define Juniper Authentication Realm ................................................................................... 9
2.5 Procedure 5: Configure New Juniper Sign-In Page ................................................................................. 12
2.6 Procedure 6: Juniper Sign-in Policies ...................................................................................................... 14
3.0 ActivIdentity 4TRESS AAA Configuration ....................................................................................................... 16
3.1 Procedure 1: Configure Juniper Gate ...................................................................................................... 16
3.2 Procedure 2: Assigning Group(s) to the Juniper Gate ............................................................................. 18
4.0 Configure for Soft Token Activation ................................................................................................................ 20
4.1 Procedure 1: Enable Soft Token Activation ............................................................................................. 20
4.2 Procedure 2: Configure Soft Token Activation Portal .............................................................................. 21
5.0 Sample Authentication Using Web Soft Token Authentication ....................................................................... 24
5.1 Prerequisite: User Enrolls Web Token and Computer ............................................................................. 24
5.2 Scenario 1: Authenticating with Web Soft Token Launched in the Sign-In Page .................................... 26
5.3 Scenario 2: Authentication with Hidden Web Soft Token Without PIN .................................................... 27
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 3
External Use | May 1, 2012 | © 2012 ActivIdentity

List of Figures

FIGURE 1: Sample Juniper Sign-In Page ............................................................................................................ 12
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 4
External Use | May 1, 2012 | © 2012 ActivIdentity
Note: Using Juniper double authentication (an LDAP password plus a one-time password) is optional.

1.0 Introduction

The Juniper® Networks SA Series SSL VPN Appliances enable remote and mobile employees, customers, and partners to gain secure access to corporate Virtual Private Network resources and applications. Providing secure access via a VPN over existing Internet connections requires strong, two-factor authentication to protect resources. The ActivIdentity solutions that work with Juniper Networks incorporate SSL VPN solutions with versatile, strong authentication that is flexible, scalable, and simple to manage. ActivIdentity offers two solutions:
ActivIdentity® 4TRESS™ AAA Server for Remote Access—Addresses the security risks associated with a mobile workforce remotely accessing systems and data.
ActivIdentity 4TRESS™ Authentication Server (AS)—Offers support for multiple authentication methods that are useful for diverse audiences across a variety of service channels (SAML, Radius, etc.), including user name and password, mobile and PC soft tokens, one-time passwords, and transparent Web soft tokens.

1.1 Scope of Document

This document explains how to set up ActivIdentity 4TRESS AAA Web token authentication with the Juniper Networks Secure Access (SA) Series of appliances. Use this handbook to enable authentication via a Web soft token for use with an SSL-protected Juniper VPN.

1.2 Prerequisites

The ActivIdentity 4TRESS AAA Server is up-to-date (v6.7) with LDAP users and groups already configured.
Juniper SA version 7.1.x installed and configured.
The Web soft token is configured to work with or without a PIN.
Users have static LDAP passwords for access to the Self Help Desk to enroll web tokens.
The Juniper login page has been customized (illustrated in this handbook).
The ability to manage double authentication (LDAP, RADIUS) sequentially from the same sign-in
page on the Juniper network.
You can configure the sign-in page so that users do not have to use static LDAP passwords.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 5
External Use | May 1, 2012 | © 2012 ActivIdentity

2.0 Juniper Secure Access Configuration

This chapter describes how to manage Juniper Secure Access. When a user signs into a Juniper SA Series appliance, the user specifies an authentication realm, which is associated with a specific authentication server. The Juniper SA Series appliance forwards the user’s credentials to this authentication server to verify the user’s identity.
You will create two authentication servers:
An LDAP Server to validate network passwords, and
An ActivIdentity 4TRESS AAA RADIUS Server to validate the user’s one time password generated by
a Web token.

2.1 Procedure 1: Create New LDAP Server Instance

To define the LDAP Server instance, perform the following steps (this will create a new LDAP server instance on the SA Series SSL VPN appliance).
Getting Started
1. In the Admin console, expand the Authentication menu, and then click Auth. Servers.
2. From the New drop-down list, select LDAP Server, and then click New Server.
The following dialog is displayed.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 6
External Use | May 1, 2012 | © 2012 ActivIdentity
Name—Specify a name to identify the server instance.
LDAP Server—Specify the name or IP address of the LDAP server that the SA Series SSL
VPN Appliance uses to validate your users.
LDAP Port—Specify the port on which the LDAP server listens.
Backup servers and ports—OPTIONAL—Specify parameters for backup LDAP servers.
LDAP Server Type—Specify the type of LDAP server against which you want to authenticate
users.
Connection, Connection Timeout, Search Timeout—Accept the defaults.
3. Click Test Connection to verify the connection between the SA Series SSL VPN appliance and the specified LDAP server(s).
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 7
External Use | May 1, 2012 | © 2012 ActivIdentity
4. Select the option, Authentication required to search LDAP and enter the appropriate Admin DN and Password.
5. In the Finding user entries section, specify a Base DN from which to begin searching for user entries, and make sure that the Filter is correct (for example: samaccountname=<USER>).
6. At the bottom of the dialog, click Save Changes (not illustrated).

2.2 Procedure 2: Create New RADIUS Authentication Server

When using an external RADIUS server to authenticate Juniper SA users, you must configure the server to recognize the Juniper SA as a client and specify a shared secret for the RADIUS server to use to authenticate the client request. To configure a connection to the RADIUS server on an SA Series SSL VPN appliance, perform the following steps.
Getting Started
1. In the Admin console, expand the Authentication menu, and then click Auth. Servers.
2. From the New drop-down list, select Radius Server, and then click New Server.
The following dialog is displayed.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 8
External Use | May 1, 2012 | © 2012 ActivIdentity
3. On the Settings tab, enter the following attributes.
Name—Specify a name to identify the server instance.
NAS-Identifier—Optional.
Radius Server—Specify the name or IP address.
Authentication Port—Enter the authentication port value for the RADIUS server. Typically,
this port is 1812.
Shared Secret—Enter a string. You will also enter this string when configuring the RADIUS server to recognize the SA Series SSL VPN appliance as a client.
Accounting Port—Accept the default,1813.
Timeout—Accept the default, 30 seconds.
Retries—Accept the default, 0 seconds.
4. Click Save.
ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook
P 9
External Use | May 1, 2012 | © 2012 ActivIdentity

2.3 Procedure 3: Define Juniper User Role(s)

A user role is an entity that defines user session parameters, personalization settings, and enabled access features.
1. From the Admin console, expand the Users menu, point to User Roles, and then click New User Role.
2. Configure the new user role according to your requirements.

2.4 Procedure 4: Define Juniper Authentication Realm

An authentication realm specifies the conditions that users must meet in order to sign into the SA Series appliance. A realm consists of a grouping of authentication resources.
1. From the Admin console, expand the Users menu, point to User Realms, and then click New User Realm.
Loading...
+ 19 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use