HID Juniper and ActivID AAA OOB User Manual
hidglobal.com
4TRESS™ AAA
Out-of-Band Authentication (SMS)
®
and Juniper
Integration Handbook
Secure Access
Document Version 2.3 | Released | May 2013
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
2
Table of Contents
List of Figures .......................................................................................................................................................... 3
1.0 Introduction ................................................................................................................................................... 4
1.1 Scope of Document ..................................................................................................................................... 4
1.2 Prerequisites ............................................................................................................................................... 4
2.0 Juniper Secure Access Configuration ....................................................................................................... 5
2.1 Procedure 1: Create New LDAP Server Instance ....................................................................................... 5
2.2 Procedure 2: Create New RADIUS Authenticatio n S er ver ......................................................................... 7
2.3 Procedure 3: Define Juniper User Role(s) ................................................................................................ 10
2.4 Procedure 4: Define Juniper Authentication Realm .................................................................................. 10
2.5 Procedure 5: Configure New Juniper Sign-In Page .................................................................................. 13
2.5.1 Examples of Custom Sign-In Pages .................................................................................................. 15
2.6 Procedure 6: Juniper Sign-in Policies ....................................................................................................... 16
3.0 4TRESS AAA Configuration ...................................................................................................................... 17
3.1 Procedure 1: Configure Juniper Gate ....................................................................................................... 17
3.2 Procedure 2: Assigning Group(s) to the Juniper Gate .............................................................................. 19
3.3 Procedure 3: Create An OOB Delivery Gateway ...................................................................................... 20
4.0 Assign SMS Token(s) ................................................................................................................................. 23
5.0 Sample Authentication Using Out-of-Band Authentication ................................................................... 24
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
3
List of Figures
FIGURE 1: Sample Juniper Sign-In Page Before Customization ........................................................................... 15
FIGURE 2: Sample Juniper Sign-In Page After Custo m i zati on .............................................................................. 15
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
4
Note: Using Juniper double authentication (an LDAP password pl us an out-of-band, one-time
1.0 Introduction
The Juniper® Networks SA Series SSL VPN Applian ce s enable remote and mobile employees, customers, and
partners to gain secure access to corporate Virtual Private Network resources and applications. Providing secur e
access via a VPN over existing Internet connections requires strong, two-factor authentication to protect
resources. The HID Global Identity Assurance™ solutions that w ork with Juniper Networks incorporate SSL VPN
solutions with versatile, strong authenticat ion that is flexible, scalable, and simple to manage. There are two
solutions:
• 4TRESS™ AAA Server for Remote Access—Addre sses the security risks associated with a mobile workforce
remotely accessing systems and data.
• 4TRESS™ Authentication Server (AS)—Of fers support for multiple authentication methods that are useful for
diverse audiences across a variety of service chann el s (SA M L, R adi us, etc.), including user name and
password, mobile and PC soft tokens, one-time passwor ds, and transparent Web soft tokens.
1.1 Scope of Document
This document explains how to set up 4TRESS AAA RADIUS out-of-band (OOB) authentication with the Juniper
Networks Secure Acce ss (SA) Series of appliances. Use this handbook to enable authenti cat ion via OOB short
message service (SMS) for use with a Juniper VPN.
1.2 Prerequisites
• 4TRESS AAA Server is up-to-date (v6.7) with LDAP users and groups already configured.
• User phone numbers are stored in the LDAP server.
• Juniper SA version 7.1.x installed and configured.
• Users have static LDAP passwords.
• There is an existing Short Message Peer-to-Peer Protocol (SMPP) gateway to send one-time-password OOB
codes to users.
• The Juniper login page has been customized (illustrated in this handbook).
• The ability to manage double authentication (L DA P , RA DI US) sequentially from the same sign-in page on the
Juniper network.
password) is optional. You can configure the sign-in page so that users do not hav e t o use static
LDAP passwords.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
5
2.0 Juniper Secure Access Configuration
This chapter describes how to manage Juniper Secure A c ce ss. When a user signs into a Juniper SA Series
appliance, the user specifies an authentication r ealm , which is associated with a specific authentication server.
The Juniper SA Series appliance forwards the user’s credentials to this authentication server to verify the user’s
identity.
You will create two authentication servers:
• LDAP Server to validate network passwords, and
• 4TRESS AAA RADIUS Server to validate one-time-passwords and the SMS act ivation code.
2.1 Procedure 1: Create New LDAP Server Instance
To define the LDAP Server instance, perform the following steps (thi s will create a new LDAP server instance on
the SA Series SSL VPN appliance).
Getting Started
1. In the Admin
console, expand the
Authentication
menu, and then
click Auth. Servers.
2. From the New drop-down list, select LDAP
Server, and then click New Server.
The following dialog is displayed.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
6
3. Click Test Connection to verify the connection between the SA S eries SSL VPN appliance and the specified
4. Select the option, Authentication required to search LDAP and enter the appropriate Admin DN and
• Name—Specify a name to identify the server instance.
• LDAP Server—Specify the name or IP address of the LDAP server that the SA Series SSL VPN
Appliance uses to validate your users.
• LDAP Port—Specify the port on which the LDAP server listens.
• Backup servers and ports—OPTIONAL—Specify parameters for backup LDA P servers.
• LDAP Server Type—Specify the type of LDAP server against which you want to authenticate users.
• Connection, Connection Timeout, Search Timeout—Accept t he defaults.
LDAP server(s).
Password.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
7
5. In the Finding user entries section, specify a Base DN from which to begin searching for user entries, and
make sure that the Filter is correct (for example: samaccountname=<USER>.
6. At the bottom of the dialog, click Save Changes (not illustrate d).
2.2 Procedure 2: Create New RADIUS Authentication Server
When using an external RADIUS server to authenti cate Juniper SA users, you must configure the server to
recognize the Juniper SA as a client and specify a shared sec ret for the RADIUS server to use to authenticate the
client request. To configure a connection t o t he RA DI US se rv er on an SA Series SSL VPN appliance, perform the
following steps.
Getting Started
1. In the Admin
console, expand the
Authentication
menu, and then
click Auth. Servers
2. From the New drop-down list, select Radius Server,
and then click New Server.
The following dialog is displayed.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
8
3. On the Settings tab, enter the following attributes.
• Name—Specify a name to identify the server instance.
• NAS-Identifier—Optional.
• Radius Server—Specify the name or IP address.
• Authentication Port—Enter the authentication port value for the RADIUS server. Typically, this port is
1812.
• Shared Secret—Enter a string. You will also enter this string when configuring the RADIUS server to
recognize the SA Series SSL VPN appliance as a client.
• Accounting Port—Accept the default,1813.
• Timeout—Accept the default, 30 seconds.
• Retries—Accept the default, 0 seconds.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
9
4. In the Custom Radius Rules section, click New Radius Rule (to add a custom challenge rule that determines
the action to take for an incoming packet). When a person ent er s a use rname and password, the initial
authorization request is sent to the server. The serv er may respond with either a Challenge or Reject packet.
5. In the Add Custom RADIUS Challenge Rule window, sele ct the packet type (Challenge or Reject) and then
specify what action to take (4TRESS AAA sends an SMS code if a correct SMS P I N is ent er ed = accesschallenge).
6. To create a custom challenge rule, select the Response Pac ket Type:
• Access Challenge—sent by the RADIUS server requesting more information in order to allow access.
• Access Reject—sent by the RADIUS server rejecting access.
The following image illustrates two sample options.
7. Click Save.
Once you have saved your custom rule, it appears in t he Custom RADIUS Authentication Rule section (illustrated
next).
Note: To delete a rule, select the checkbox next to the rule and then click Delete.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
Loading...