hidglobal.com
4TRESS™ AAA
Out-of-Band Authentication (SMS)
®
and Juniper
Integration Handbook
Secure Access
Document Version 2.3 | Released | May 2013
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
2
Table of Contents
List of Figures .......................................................................................................................................................... 3
1.0 Introduction ................................................................................................................................................... 4
1.1 Scope of Document ..................................................................................................................................... 4
1.2 Prerequisites ............................................................................................................................................... 4
2.0 Juniper Secure Access Configuration ....................................................................................................... 5
2.1 Procedure 1: Create New LDAP Server Instance ....................................................................................... 5
2.2 Procedure 2: Create New RADIUS Authenticatio n S er ver ......................................................................... 7
2.3 Procedure 3: Define Juniper User Role(s) ................................................................................................ 10
2.4 Procedure 4: Define Juniper Authentication Realm .................................................................................. 10
2.5 Procedure 5: Configure New Juniper Sign-In Page .................................................................................. 13
2.5.1 Examples of Custom Sign-In Pages .................................................................................................. 15
2.6 Procedure 6: Juniper Sign-in Policies ....................................................................................................... 16
3.0 4TRESS AAA Configuration ...................................................................................................................... 17
3.1 Procedure 1: Configure Juniper Gate ....................................................................................................... 17
3.2 Procedure 2: Assigning Group(s) to the Juniper Gate .............................................................................. 19
3.3 Procedure 3: Create An OOB Delivery Gateway ...................................................................................... 20
4.0 Assign SMS Token(s) ................................................................................................................................. 23
5.0 Sample Authentication Using Out-of-Band Authentication ................................................................... 24
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
3
List of Figures
FIGURE 1: Sample Juniper Sign-In Page Before Customization ........................................................................... 15
FIGURE 2: Sample Juniper Sign-In Page After Custo m i zati on .............................................................................. 15
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
4
Note: Using Juniper double authentication (an LDAP password pl us an out-of-band, one-time
1.0 Introduction
The Juniper® Networks SA Series SSL VPN Applian ce s enable remote and mobile employees, customers, and
partners to gain secure access to corporate Virtual Private Network resources and applications. Providing secur e
access via a VPN over existing Internet connections requires strong, two-factor authentication to protect
resources. The HID Global Identity Assurance™ solutions that w ork with Juniper Networks incorporate SSL VPN
solutions with versatile, strong authenticat ion that is flexible, scalable, and simple to manage. There are two
solutions:
• 4TRESS™ AAA Server for Remote Access—Addre sses the security risks associated with a mobile workforce
remotely accessing systems and data.
• 4TRESS™ Authentication Server (AS)—Of fers support for multiple authentication methods that are useful for
diverse audiences across a variety of service chann el s (SA M L, R adi us, etc.), including user name and
password, mobile and PC soft tokens, one-time passwor ds, and transparent Web soft tokens.
1.1 Scope of Document
This document explains how to set up 4TRESS AAA RADIUS out-of-band (OOB) authentication with the Juniper
Networks Secure Acce ss (SA) Series of appliances. Use this handbook to enable authenti cat ion via OOB short
message service (SMS) for use with a Juniper VPN.
1.2 Prerequisites
• 4TRESS AAA Server is up-to-date (v6.7) with LDAP users and groups already configured.
• User phone numbers are stored in the LDAP server.
• Juniper SA version 7.1.x installed and configured.
• Users have static LDAP passwords.
• There is an existing Short Message Peer-to-Peer Protocol (SMPP) gateway to send one-time-password OOB
codes to users.
• The Juniper login page has been customized (illustrated in this handbook).
• The ability to manage double authentication (L DA P , RA DI US) sequentially from the same sign-in page on the
Juniper network.
password) is optional. You can configure the sign-in page so that users do not hav e t o use static
LDAP passwords.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
5
2.0 Juniper Secure Access Configuration
This chapter describes how to manage Juniper Secure A c ce ss. When a user signs into a Juniper SA Series
appliance, the user specifies an authentication r ealm , which is associated with a specific authentication server.
The Juniper SA Series appliance forwards the user’s credentials to this authentication server to verify the user’s
identity.
You will create two authentication servers:
• LDAP Server to validate network passwords, and
• 4TRESS AAA RADIUS Server to validate one-time-passwords and the SMS act ivation code.
2.1 Procedure 1: Create New LDAP Server Instance
To define the LDAP Server instance, perform the following steps (thi s will create a new LDAP server instance on
the SA Series SSL VPN appliance).
Getting Started
1. In the Admin
console, expand the
Authentication
menu, and then
click Auth. Servers.
2. From the New drop-down list, select LDAP
Server, and then click New Server.
The following dialog is displayed.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
6
3. Click Test Connection to verify the connection between the SA S eries SSL VPN appliance and the specified
4. Select the option, Authentication required to search LDAP and enter the appropriate Admin DN and
• Name—Specify a name to identify the server instance.
• LDAP Server—Specify the name or IP address of the LDAP server that the SA Series SSL VPN
Appliance uses to validate your users.
• LDAP Port—Specify the port on which the LDAP server listens.
• Backup servers and ports—OPTIONAL—Specify parameters for backup LDA P servers.
• LDAP Server Type—Specify the type of LDAP server against which you want to authenticate users.
• Connection, Connection Timeout, Search Timeout—Accept t he defaults.
LDAP server(s).
Password.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
7
5. In the Finding user entries section, specify a Base DN from which to begin searching for user entries, and
make sure that the Filter is correct (for example: samaccountname=<USER>.
6. At the bottom of the dialog, click Save Changes (not illustrate d).
2.2 Procedure 2: Create New RADIUS Authentication Server
When using an external RADIUS server to authenti cate Juniper SA users, you must configure the server to
recognize the Juniper SA as a client and specify a shared sec ret for the RADIUS server to use to authenticate the
client request. To configure a connection t o t he RA DI US se rv er on an SA Series SSL VPN appliance, perform the
following steps.
Getting Started
1. In the Admin
console, expand the
Authentication
menu, and then
click Auth. Servers
2. From the New drop-down list, select Radius Server,
and then click New Server.
The following dialog is displayed.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
8
3. On the Settings tab, enter the following attributes.
• Name—Specify a name to identify the server instance.
• NAS-Identifier—Optional.
• Radius Server—Specify the name or IP address.
• Authentication Port—Enter the authentication port value for the RADIUS server. Typically, this port is
1812.
• Shared Secret—Enter a string. You will also enter this string when configuring the RADIUS server to
recognize the SA Series SSL VPN appliance as a client.
• Accounting Port—Accept the default,1813.
• Timeout—Accept the default, 30 seconds.
• Retries—Accept the default, 0 seconds.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
9
4. In the Custom Radius Rules section, click New Radius Rule (to add a custom challenge rule that determines
the action to take for an incoming packet). When a person ent er s a use rname and password, the initial
authorization request is sent to the server. The serv er may respond with either a Challenge or Reject packet.
5. In the Add Custom RADIUS Challenge Rule window, sele ct the packet type (Challenge or Reject) and then
specify what action to take (4TRESS AAA sends an SMS code if a correct SMS P I N is ent er ed = accesschallenge).
6. To create a custom challenge rule, select the Response Pac ket Type:
• Access Challenge—sent by the RADIUS server requesting more information in order to allow access.
• Access Reject—sent by the RADIUS server rejecting access.
The following image illustrates two sample options.
7. Click Save.
Once you have saved your custom rule, it appears in t he Custom RADIUS Authentication Rule section (illustrated
next).
Note: To delete a rule, select the checkbox next to the rule and then click Delete.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
10
2.3 Procedure 3: Define Juniper User Role(s)
A user role is an entity that defines user session param et ers, personalization settings, and enabled access
features.
1. From the Admin console, expand the Users menu, p oi nt t o User Roles, and t hen click New User Role.
2. Configure the new user role according to your requir ements.
2.4 Procedure 4: Define Juniper Authentication Realm
An authentication realm specifies the conditi ons that users must meet in order to sign into the SA Series
appliance. A realm consists of a grouping of authenti ca tion resources.
1. From the Admin console, expand the Users menu, p oi nt t o User Realms, and then click New User Realm.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
11
2. On the General tab, enter the following attributes and select the following options.
• Name—Enter a name to label this realm.
• Description—Enter a meaningful description.
• In the Servers section:
• Select an option from the Authentication drop-down list to specify an authentication server to
use for authenticating users who sign in to this realm ( for example, the LDAP server).
• Accept the default for Directory/Attribute (Same as above).
• Accounting—Accept the default, None.
• To submit secondary user credentials to enable two-factor authenticat ion to access the Secure Access
device, select the option, Additional authentication server.
• Authentication #2—Select 4TRESS AAA from the drop-down list (the name of the authentication
server might be different).
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
12
• By default, Secure Access submits the <username> se ssi on v ari able which holds the same
username used to sign in to the primary authenti cat ion server. To automatically submit a
username to the secondary server, select the opt ion, predefined as.
• If you want to prompt the user to manually submit a password to the secondary server during the
Secure Access sign-in process, then select the option, Password is specified by user on sign-
in page.
• Select the option, End session if authentication against this server fails.
3. At the bottom of the page, click Save Changes.
4. To configure one or more role mapping rules (based on the role defined previously), select the Role Mapping
tab.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
13
2.5 Procedure 5: Configure New Juniper Sign-In Page
1. From the Admin console, expand the Authentication menu, point to Signing In, and then click Sign-in
Pages.
2. On the Custom text page, enter the following attribut es.
3. Accept the defaults for all other attributes.
• Welcome message—Enter and appropriate salutation, such as W elcome to the.
• Portal name—Enter a meaningful name. This will be what comes after Welcome to the.
• Submit button—Customize if desired.
• Instructions—Enter the text you want the user to see on the sign-in page.
• Username—This is used by the realm to mask the secondary username on the sign-in page.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
14
4. Optional: You can modify Juniper custom sign-in pag es t o hi de t he SMS PIN (the activation code). If you do
this, then all the users will use the same activation code. For det ai ls, call your HID Global Identity Assurance
technical contact to obtain a sample page. Af t er y ou obt ai n a cu st om file, you can upload it directly using the
Sign-in Pages tab (illustrated next).
5. Click Upload Custom Pages.
6. Enter an appropriate Name, select the Page Type option, Access, and then click the Browse button.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
15
2.5.1 Examples of Custom Sign-In Pages
FIGURE 1: Sample Juniper Sign-In Page Before Customization
FIGURE 2: Sample Juniper Sign-In Page After Customization
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
16
2.6 Procedure 6: Juniper Sign-in Policies
User sign-in policies also determine the realm( s ) t hat user s can access.
1. To create or configure user sign-in policies, in the Admin console, expand the Authentication menu, point to
Signing In, and then click Sign-in Policies.
2. To create a new sign-in policy, click New URL.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
17
3. In the Sign-in URL field that is displayed, enter the URL that you want t o associate with the policy. Use the
format <host>/<path>, where <host> is the host name of the Secure A c ce ss d ev i ce, and <path> is any
string you want users to enter.
4. For Sign-in Page, select the sign-in page that you want to associate with the policy.
5. For Authentication realm, specify which realm(s) map to the pol icy, and how users should pick from
amongst realms.
6. Click Save Changes.
3.0 4TRESS AAA Configuration
This chapter describes how to configure the 4TRES S A A A A uthentication Server.
3.1 Procedure 1: Configure Juniper Gate
A gate for the 4TRESS AAA Server is a group of Network Access Servers (NAS) that is used to simplify
administration. For configuration details, refer to 4TRESS AAA Server technical documentation.
1. In the tree in the left pane of the Administration Con sol e, expand the Servers line.
2. Right-click on the server to which you want to add a gate, and click New Gate.
3. Enter a Gate name (can be any string).
4. Select the option, RADIUS, correspo nding to the protocol your Juniper uses.
5. Use the Authorized IP addresses and host names section to specify filter(s) for the gate.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
18
6. Click Add, and then click OK.
7. The 4TRESS AAA Server uses the RADIUS shared secret to encrypt data between Juniper and the 4TRESS
8. Click OK.
AAA authentication server. Click Shared Secret, and then modify the appropriate shared secret for your
system (see section 2.2 Procedure 2: Create New RADIUS Authentication Server on page 7).
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
19
3.2 Procedure 2: Assigning Group(s) to the Juniper Gate
Remember that you must have user groups created and the corresponding LDAP configured. For details, refer to
the ActivIdentity 4TRESS AAA Administration G uide.
1. To assign groups to the Juniper Gate, in the tree in the left pane, select the group that you want to assign to
the gate.
2. Use the Group / Gate Assignments section of the page to specify gate(s) f or the group’s users to utilize in
order to access a protected resource.
3. Click Add.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
20
4. Select the Gate, the AZ profile. and the AC profile.
5. Click OK.
3.3 Procedure 3: Create An OOB Delivery Gateway
The actual SMS OTP is a random number generated by the A ppl ianc e and sent to the end user through a delivery
gateway.
1. From the AAA Server Administration Console, select Tools, then click Options.
2. Select the SMS Gateway tab.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
21
3. Click Send a test SMS for the primary gateway, and for t he backup, if configured.
4. Click OK.
• Protocol—Select the Protocol to use for sending the SMS to the cell phon e.
• SMS Center Address—Enter the IP address or domain name of the SMS Center’s server.
• SMS Center Port—Enter the port number for the SMS Center’s server.
• SMS Center Login and SMS Center Password—Enter the credentials that the 4TRESS AAA Server
uses to authenticate to the SMS.
• LDAP Settings—Define the attribute in the Cell Phone Number LDAP Attribute field. This is the one in
which the cell telephone numbers are stored in you r or ganization’s LDAP directory.
• SMS Message—Enter the text desired for primary and backup, if needed (for example, Here is your
one-time-password:).
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
22
5. Add two registry entries to activate the challenge-re sp onse mode on the SMS activation code—as illustrated
next.
HKEY_LOCAL_MACHINE\SOFTWARE\ActivCard\ActivPack\ActivPackServerV6
6. Customize the Activation message (that appears in the Juniper page).
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
23
4.0 Assign SMS Token(s)
You can assign an SMS Token for use either as a primary authentication method to a single user or to multiple
users (bulk assignment).
1. From the 4TRESS AAA Server Administration Conso l e, select the Devices menu, and then click SMS Token.
2. Use the search function to search for the user(s) to w hom y ou want to assign the token(s). To select multiple
users, press and hold the Ctrl key and then click selection s.
3. Select the user or users from the list, and then click Set.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
24
5.0 Sample Authentication Using Out-of-Band
Authentication
1. The user authenticates to the Juniper Activation Realm with an OOB device (optionally an LDAP password).
This depends on Juniper configuration.
You can modify this page (the Juniper Custom sign-in page) to hide the SMS PIN (activation code) on the
page. In this case, all the users will use the same activation code. Contact your HID Global Identity Assurance
technical contact to obtain a sample page. For ex ample:
When the user clicks Sign In, the following page will be displayed.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
25
2. The user receives a one-time-password, enters the password in the Response box, and then clicks Sign In.
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
26
Document
May 2012
Eco-System Workgroup
Initial release
2.0
February 2013
Eco-System Workgroup
Rebranded for HID Global
2.1
February 2013
Eco-System Workgroup
Copyright updated to HID Global
2.2
May 2013
Eco-System Workgroup
Copyright updated per IP changes
2.3
Copyright
© 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved.
Trademarks
HID, the HID logo, ActivID, 4TRESS and/or other HID Global products or marks referenced herein are registered
trademarks or trademarks of HID Global Corporation in the United States and/or other countries.
The absence of a mark, product, service name or log o f rom this list does not constitute a waiver of the HID Global
trademark or other intellectual property right s c oncerning that name or logo. The names of actual companies,
trademarks, trade names, service marks, images and/or products mentioned herein are the trademarks of their
respective owners. Any rights not expressly granted herein are reserved.
Revision History
Date Author Description
Version
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper® Secure Access | Integration Handbook
External Release | ©
27
Americas
US Federal
Europe
Asia Pacific
Web
+1 510.574.0100
+1 571.522.1000
+33 (0) 1.42.04.84.00
+61 (0) 3.9809.2892
http://www.hidglobal.com/identity-assurance
Corporate Headquarters
15370 Barranca Parkway
Irvine, CA 92618
www.hidglobal.com
+1 949.732.2000
2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
Loading...