How it Works
HID
Loading...
Juniper and ActivID AS OOB
User Manual
30 pgs895.8 Kb0
Table of contents
Loading...

HID Juniper and ActivID AS OOB User Manual

hidglobal.com
4TRESS FT2011
Out-of-Band Authentication
and Juniper
RADIUS Channel Integration Handbook
®
Document Version 2.2 | Released | May 2013
4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access | RADIUS Channel Integration Handbook
External Release | © 2012
2

Table of Contents

List of Figures ............................................................................................................................................................. 3
1.0 Introduction ....................................................................................................................................................... 4
1.1 Scope of Document .................................................................................................................................... 4
1.2 Prerequisites .............................................................................................................................................. 4
2.0 Juniper Secure Access Configuration ............................................................................................................... 5
2.1 Procedure 1: Create New LDAP Server Instance ...................................................................................... 5
2.2 Procedure 2: Create New RADIUS Authentication Server ........................................................................ 7
2.3 Procedure 3: Define Juniper User Role(s) ............................................................................................... 10
2.4 Procedure 4: Define Juniper Authentication Realm ................................................................................. 10
2.5 Procedure 5: Configure New Juniper Sign-In Page ................................................................................. 13
2.5.1 Examples of Custom Sign-In Pages ............................................................................................... 15
2.6 Procedure 6: Juniper Sign-in Policies ...................................................................................................... 16
3.0 4TRESS AS Configuration .............................................................................................................................. 17
3.1 Configure RADIUS Channel ..................................................................................................................... 17
3.2 Create User Repository ............................................................................................................................ 20
3.3 Configure Administration Groups, User Types, User Reposit ories, and Authentication Policies ............ 22
3.4 Create OOB Delivery Gateway ................................................................................................................ 23
3.5 Assign An Out-of-Band Delivery Gateway ............................................................................................... 25
3.6 Assign An Out-of-Band Delivery Credential to An Existing Authentication Policy ................................... 26
4.0 Assign SMS Token(s) ..................................................................................................................................... 26
4.1 Prerequisite: Assign An SMS Token ........................................................................................................ 26
5.0 Sample Authentication Using Out-of-Band Aut hentication ............................................................................. 27
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access | RADIUS Channel Integration Handbook
External Release | © 2012
3

List of Figures

FIGURE 1: Sample Juniper Sign-In Page Before Customization ........................................................................ 15
FIGURE 2: Sample Juniper Sign-In Page After Custo m i zati on ........................................................................... 15
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access | RADIUS Channel Integration Handbook
External Release | © 2012
4
Note: Using Juniper double authentication (an LDAP password pl us an out-of-band, one-time

1.0 Introduction

The Juniper® Networks SA Series SSL VPN Applian ces enable remote and mobile employees, customers, and partners to gain secure access to corporate Virtual Private Network resources and applications. Providing secure access via a VPN over existing Internet connections requires strong, two-factor authentication to protect resources. The HID Global Identity Assurance™ solutions that work with Juniper Networks incorporate SSL VPN solutions with versatile, strong authenticat ion that is flexible, scalable, and simple to manage. HID Global Identity Assurance offers two solutions:
4TRESS™ AAA Server for Remote Access—Addresses the security risks associated with a mobile workforce remotely accessing systems and data.
4TRESS Authentication Server (AS)—Offers support f or mul t i ple aut hentication methods that are useful for diverse audiences across a variety of service channels (SAML, RADIUS, etc.), including user name and password, mobile and PC soft tokens, one-time passwords, and transparent Web soft tokens.

1.1 Scope of Document

This document explains how to set up 4TRESS FT2011 RADIUS out-of-band (OOB) authentication with the Juniper Networks Secure Access (SA) Series of applianc es. Use this handbook to enable authentication via OOB short message service (SMS) and Email for use with a Juniper VPN.

1.2 Prerequisites

4TRESS FT2011.
User phone numbers and Email addresses are stored in the LDAP server.
Juniper SA version 7.1.x installed and configured.
Users have static LDAP passwords.
There is an existing Short Message Peer-to-Peer Protocol / Simple Mail Transfer Protocol
(SMPP/SMTP) gateway to send one-time-password OOB codes to users.
The Juniper login page has been customized.
Ability to manage double authentication (LDAP, RADIUS) sequentially from the same sign-in page on
the Juniper network.
password) is optional. You can configure the sign-in page so that users do not hav e t o use static LDAP passwords.
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access | RADIUS Channel Integration Handbook
External Release | © 2012
5

2.0 Juniper Secure Access Configuration

This chapter describes how to manage Juniper Secure A c ce ss. When a user signs into a Juniper SA Series appliance, the user specifies an authentication r ealm , which is associated with a specific authentication server. The Juniper SA Series appliance forwards the user’s credentials to this authentication server to verify the user’s identity.
You will create two authentication servers:
LDAP Server to validate network passwords, and
4TRESS AAA RADIUS Server to validate one-time-passwords and the SM S act iv ation code.

2.1 Procedure 1: Create New LDAP Server Instance

To define the LDAP Server instance, perform the following st eps (this will create a new LDAP server instance on the SA Series SSL VPN appliance).
Getting Started
1. In the Admin console, expand the Authentication menu, and then click Auth. Servers.
2. From the New drop-down list, select LDAP Server, and then click New Server.
The following dialog is displayed.
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access | RADIUS Channel Integration Handbook
External Release | © 2012
6
3. Click Test Connection to verify the connection between the SA S eries S SL VPN appliance and the specified LDAP server(s).
4. Select the option, Authentication required to search LDAP, and enter the appropriate Admin DN and Password.
Name—Specify a name to identify the server instance.
LDAP Server—Specify the name or IP address of the LDAP server that t he S A Series SSL
VPN Appliance uses to validate your users.
LDAP Port—Specify the port on which the LDAP server listens.
Backup servers and ports—OPTIONAL—Specify parameters f or backup LDAP servers.
LDAP Server Type—Specify the type of LDAP server against which y ou want to authenticate
users.
Connection, Connection Timeout, Search Timeout—Accept the defaults.
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access | RADIUS Channel Integration Handbook
External Release | © 2012
7
5. In the Finding user entries section, specify a Base DN from which to begin searching for user entries, and make sure that the Filter is correct (for example: samaccountname=<USER>).
6. At the bottom of the dialog, click Save Changes (not illustrated).

2.2 Procedure 2: Create New RADIUS Authentication Server

When using an external RADIUS server to authenti cate Juniper SA users, you must configure the server to recognize the Juniper SA as a client and specify a shared sec ret for the RADIUS server to use to authenticate the client request. To configure a connection t o t he RA DI US se rv er on an SA Series SSL VPN appliance, perform the following steps.
Getting Started
1. In the Admin console, expand the Authentication menu, and then click Auth. Servers.
2. From the New drop-down list, select Radius Server, and then click New Server.
The following dialog is displayed.
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access | RADIUS Channel Integration Handbook
External Release | © 2012
8
3. On the Settings tab, enter the following attributes.
Name—Specify a name to identify the server instance.
Radius Server—Specify the name or IP address.
Authentication Port—Enter the authentication port v alue for the RADIUS server. Typically,
this port is 1812.
Shared Secret—Enter a string. You will also enter this string when configuring the RADIUS server to recognize the SA Series SSL VPN appliance as a client.
Accounting Port—Accept the default,1813.
Timeout—Accept the default, 30 seconds.
Retries—Accept the default, 0 seconds.
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access | RADIUS Channel Integration Handbook
External Release | © 2012
9
4. In the Custom Radius Rules section, click New Radius Rule. When a p erson enters a username and password, the initial authorization request is sent to the server. The server may respond with either a Challenge or Reject packet.
5. In the Add (or Edit) Custom RADIUS Challenge Rule window, select the packet type (Challenge or Reject), and then specify what action to take (used for OOB authent i c ation and emergency access—4TRESS sends an SMS if a correct SMS PIN is entered = access-challenge).
6. To create a custom challenge rule, select the Response Pac ket Type:
Access Challenge—sent by the RADIUS server requesting more information in order to allow access.
Access Reject—sent by the RADIUS server rejecting access.
The following image illustrates two sample options.
7. Click Save. Once you have saved your custom rule, it appears in t he Custom RADIUS Authentication Rule section (illustrated
next).
Note: To delete a rule, select the checkbox next to the rule, and then click Delete.
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
Loading...
+ 21 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use