4TRESS AAA. Out-of-Band Authentication (SMS) and Juniper Secure Access Integration Handbook. Document Version 2.3 Released May hidglobal.

Similar documents
4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access

ActivIdentity ActivID Card Management System and Juniper Secure Access. Integration Handbook

ActivIdentity 4TRESS AAA Web Tokens and F5 BIG-IP Access Policy Manager. Integration Handbook

ActivIdentity 4TRESS AAA and Splunk. Integration Handbook

Implementation Guide for protecting Juniper SSL VPN with BlackShield ID

Integration Guide. SafeNet Authentication Service. Strong Authentication for Juniper Networks SSL VPN

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

Azure MFA Integration with NetScaler

External Authentication with Checkpoint R77.20 Authenticating Users Using SecurAccess Server by SecurEnvoy

Integration Guide. LoginTC

Barracuda SSL VPN Integration

SafeNet Authentication Service

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with CA SiteMinder

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

SafeNet Authentication Service

How to Configure Authentication and Access Control (AAA)

Integration Guide. SafeNet Authentication Service (SAS)

Establishing two-factor authentication with Juniper SSL VPN and HOTPin authentication server from Celestix Networks

ESET SECURE AUTHENTICATION. Juniper SSL VPN Integration Guide

How to Integrate RSA SecurID with the Barracuda Web Application Firewall

Deliver and manage customer VIP POCs. The lab will be directed and provide you with step-by-step walkthroughs of key features.

Integration Guide. SafeNet Authentication Service. Protecting Microsoft Internet Security and Acceleration (ISA) Server 2006 with SAS

Citrix Access Gateway Implementation Guide

IVE Quick Startup Guide - OS 4.0

ForeScout CounterACT. Configuration Guide. Version 4.1

Protecting SugarCRM with SafeNet Authentication Manager

Barracuda Networks SSL VPN

Juniper SA 8.x Integration

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Cisco Adaptive Security Appliance 9.5(2)

Remote Support Security Provider Integration: RADIUS Server

NetScaler Radius Authentication. Integration Guide

CA Adapter. CA Adapter Installation Guide for Windows 8.0

SafeNet Authentication Service

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access

SafeNet Authentication Service

Integration Guide. SafeNet Authentication Service. SAS using RADIUS Protocol with WatchGuard XTMv. SafeNet Authentication Service: Integration Guide

Integration Guide. SecureAuth

SafeNet Authentication Service

Configuring and Delivering Salesforce as a managed application to XenMobile Users with NetScaler as the SAML IDP (Identity Provider)

Barracuda Networks NG Firewall 7.0.0

SafeNet Authentication Manager

INTEGRATION GUIDE. DIGIPASS Authentication for VMware View

Security Provider Integration RADIUS Server

Yubico with Centrify for Mac - Deployment Guide

Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure. Deployment Guide

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

Integration Guide. SafeNet Authentication Service. Using RADIUS Protocol for Citrix GoToMyPC

SafeNet Authentication Manager

SafeNet Authentication Service

Pulse Secure Policy Secure

Stonesoft Integration

Entrust PartnerLink Login Instructions

SafeNet Authentication Service

DIGIPASS Authentication for Cisco ASA 5500 Series

Integration Guide. SafeNet Authentication Manager. Using RADIUS Protocol for Citrix NetScaler 10.5

DIGIPASS Authentication for Check Point VPN-1

DIGIPASS Authentication to Citrix XenDesktop with endpoint protection

DIGIPASS Authentication for O2 Succendo

271 Waverley Oaks Rd. Telephone: Suite 206 Waltham, MA USA

Quantum Policy Suite Subscriber Services Portal 2.9 Interface Guide for Managers

SafeNet Authentication Service

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for SonicWALL Secure Remote Access

Integration Guide. SafeNet Authentication Manager. Using RADIUS Protocol for Cisco ASA

SafeNet Authentication Service Agent for Cisco AnyConnect Client. Installation and Configuration Guide

Table of Contents 1 Cisco AnyConnect...1

Okta SAML Authentication with WatchGuard Access Portal. Integration Guide

AAA and the Local Database

Keeping your VPN protected. proven. trusted.

Authlogics Forefront TMG and UAG Agent Integration Guide

SafeNet Authentication Manager

Integration Guide. SafeNet Authentication Service. Using RADIUS Protocol for VMware Horizon 6

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Configure Unsanctioned Device Access Control

CA Adapter. Installation and Configuration Guide for Windows. r2.2.9

Integration Guide. SafeNet Authentication Client. Using SAC CBA with Juniper Junos Pulse

Message Networking 5.2 Administration print guide

Exam : JN Title : Juniper Networks Certified Internet Assoc(JNCIA-SSL) Exam. Version : Demo

SurePassID Local Agent Guide SurePassID Authentication Server 2016

BEST PRACTICES GUIDE RSA MIGRATION MODULE

NetScreen Secure Access NetScreen Secure Access FIPS Getting Started

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Tableau Server

DIGIPASS Authentication for Check Point VPN-1

Identity Firewall. About the Identity Firewall

Integrate Juniper Secure Access VPN

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with Check Point Security Gateway

HOB Remote Desktop VPN

Pulse Secure Client for Chrome OS

Cloud Secure Integration with ADFS. Deployment Guide

Configuring the SMA 500v Virtual Appliance

RSA Authentication Manager 7.1 Help Desk Administrator s Guide

Microsoft Unified Access Gateway 2010

SafeNet Authentication Client

DIGIPASS Authentication for NETASQ

Forescout. Configuration Guide. Version 4.2

SonicWall Secure Mobile Access SMA 500v Virtual Appliance 8.6. Getting Started Guide

Novell Access Manager

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. CyberArk Enterprise Password Vault

Horizon DaaS Platform 6.1 Service Provider Installation - vcloud

Transcription:

4TRESS AAA Out-of-Band Authentication (SMS) and Juniper Secure Access Integration Handbook Document Version 2.3 Released May 2013 hidglobal.com

Table of Contents List of Figures... 3 1.0 Introduction... 4 1.1 Scope of Document... 4 1.2 Prerequisites... 4 2.0 Juniper Secure Access Configuration... 5 2.1 Procedure 1: Create New LDAP Server Instance... 5 2.2 Procedure 2: Create New RADIUS Authentication Server... 7 2.3 Procedure 3: Define Juniper User Role(s)... 10 2.4 Procedure 4: Define Juniper Authentication Realm... 10 2.5 Procedure 5: Configure New Juniper Sign-In Page... 13 2.5.1 Examples of Custom Sign-In Pages... 15 2.6 Procedure 6: Juniper Sign-in Policies... 16 3.0 4TRESS AAA Configuration... 17 3.1 Procedure 1: Configure Juniper Gate... 17 3.2 Procedure 2: Assigning Group(s) to the Juniper Gate... 19 3.3 Procedure 3: Create An OOB Delivery Gateway... 20 4.0 Assign SMS Token(s)... 23 5.0 Sample Authentication Using Out-of-Band Authentication... 24 External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 2

List of Figures FIGURE 1: Sample Juniper Sign-In Page Before Customization... 15 FIGURE 2: Sample Juniper Sign-In Page After Customization... 15 External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 3

1.0 Introduction The Juniper Networks SA Series SSL VPN Appliances enable remote and mobile employees, customers, and partners to gain secure access to corporate Virtual Private Network resources and applications. Providing secure access via a VPN over existing Internet connections requires strong, two-factor authentication to protect resources. The HID Global Identity Assurance solutions that work with Juniper Networks incorporate SSL VPN solutions with versatile, strong authentication that is flexible, scalable, and simple to manage. There are two solutions: 4TRESS AAA Server for Remote Access Addresses the security risks associated with a mobile workforce remotely accessing systems and data. 4TRESS Authentication Server (AS) Offers support for multiple authentication methods that are useful for diverse audiences across a variety of service channels (SAML, Radius, etc.), including user name and password, mobile and PC soft tokens, one-time passwords, and transparent Web soft tokens. 1.1 Scope of Document This document explains how to set up 4TRESS AAA RADIUS out-of-band (OOB) authentication with the Juniper Networks Secure Access (SA) Series of appliances. Use this handbook to enable authentication via OOB short message service (SMS) for use with a Juniper VPN. 1.2 Prerequisites 4TRESS AAA Server is up-to-date (v6.7) with LDAP users and groups already configured. User phone numbers are stored in the LDAP server. Juniper SA version 7.1.x installed and configured. Users have static LDAP passwords. There is an existing Short Message Peer-to-Peer Protocol (SMPP) gateway to send one-time-password OOB codes to users. The Juniper login page has been customized (illustrated in this handbook). The ability to manage double authentication (LDAP, RADIUS) sequentially from the same sign-in page on the Juniper network. Note: Using Juniper double authentication (an LDAP password plus an out-of-band, one-time password) is optional. You can configure the sign-in page so that users do not have to use static LDAP passwords. External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 4

2.0 Juniper Secure Access Configuration This chapter describes how to manage Juniper Secure Access. When a user signs into a Juniper SA Series appliance, the user specifies an authentication realm, which is associated with a specific authentication server. The Juniper SA Series appliance forwards the user s credentials to this authentication server to verify the user s identity. You will create two authentication servers: LDAP Server to validate network passwords, and 4TRESS AAA RADIUS Server to validate one-time-passwords and the SMS activation code. 2.1 Procedure 1: Create New LDAP Server Instance To define the LDAP Server instance, perform the following steps (this will create a new LDAP server instance on the SA Series SSL VPN appliance). Getting Started 1. In the Admin console, expand the Authentication menu, and then click Auth. Servers. 2. From the New drop-down list, select LDAP Server, and then click New Server. The following dialog is displayed. External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 5

Name Specify a name to identify the server instance. LDAP Server Specify the name or IP address of the LDAP server that the SA Series SSL VPN Appliance uses to validate your users. LDAP Port Specify the port on which the LDAP server listens. Backup servers and ports OPTIONAL Specify parameters for backup LDAP servers. LDAP Server Type Specify the type of LDAP server against which you want to authenticate users. Connection, Connection Timeout, Search Timeout Accept the defaults. 3. Click Test Connection to verify the connection between the SA Series SSL VPN appliance and the specified LDAP server(s). 4. Select the option, Authentication required to search LDAP and enter the appropriate Admin DN and Password. External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 6

5. In the Finding user entries section, specify a Base DN from which to begin searching for user entries, and make sure that the Filter is correct (for example: samaccountname=<user>. 6. At the bottom of the dialog, click Save Changes (not illustrated). 2.2 Procedure 2: Create New RADIUS Authentication Server When using an external RADIUS server to authenticate Juniper SA users, you must configure the server to recognize the Juniper SA as a client and specify a shared secret for the RADIUS server to use to authenticate the client request. To configure a connection to the RADIUS server on an SA Series SSL VPN appliance, perform the following steps. Getting Started 1. In the Admin console, expand the Authentication menu, and then click Auth. Servers 2. From the New drop-down list, select Radius Server, and then click New Server. The following dialog is displayed. External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 7

3. On the Settings tab, enter the following attributes. Name Specify a name to identify the server instance. NAS-Identifier Optional. Radius Server Specify the name or IP address. Authentication Port Enter the authentication port value for the RADIUS server. Typically, this port is 1812. Shared Secret Enter a string. You will also enter this string when configuring the RADIUS server to recognize the SA Series SSL VPN appliance as a client. Accounting Port Accept the default,1813. Timeout Accept the default, 30 seconds. Retries Accept the default, 0 seconds. External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 8

4. In the Custom Radius Rules section, click New Radius Rule (to add a custom challenge rule that determines the action to take for an incoming packet). When a person enters a username and password, the initial authorization request is sent to the server. The server may respond with either a Challenge or Reject packet. 5. In the Add Custom RADIUS Challenge Rule window, select the packet type (Challenge or Reject) and then specify what action to take (4TRESS AAA sends an SMS code if a correct SMS PIN is entered = accesschallenge). 6. To create a custom challenge rule, select the Response Packet Type: Access Challenge sent by the RADIUS server requesting more information in order to allow access. Access Reject sent by the RADIUS server rejecting access. The following image illustrates two sample options. 7. Click Save. Once you have saved your custom rule, it appears in the Custom RADIUS Authentication Rule section (illustrated next). Note: To delete a rule, select the checkbox next to the rule and then click Delete. External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 9

2.3 Procedure 3: Define Juniper User Role(s) A user role is an entity that defines user session parameters, personalization settings, and enabled access features. 1. From the Admin console, expand the Users menu, point to User Roles, and then click New User Role. 2. Configure the new user role according to your requirements. 2.4 Procedure 4: Define Juniper Authentication Realm An authentication realm specifies the conditions that users must meet in order to sign into the SA Series appliance. A realm consists of a grouping of authentication resources. 1. From the Admin console, expand the Users menu, point to User Realms, and then click New User Realm. External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 10

2. On the General tab, enter the following attributes and select the following options. Name Enter a name to label this realm. Description Enter a meaningful description. In the Servers section: Select an option from the Authentication drop-down list to specify an authentication server to use for authenticating users who sign in to this realm (for example, the LDAP server). Accept the default for Directory/Attribute (Same as above). Accounting Accept the default, None. To submit secondary user credentials to enable two-factor authentication to access the Secure Access device, select the option, Additional authentication server. Authentication #2 Select 4TRESS AAA from the drop-down list (the name of the authentication server might be different). External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 11

By default, Secure Access submits the <username> session variable which holds the same username used to sign in to the primary authentication server. To automatically submit a username to the secondary server, select the option, predefined as. If you want to prompt the user to manually submit a password to the secondary server during the Secure Access sign-in process, then select the option, Password is specified by user on signin page. Select the option, End session if authentication against this server fails. 3. At the bottom of the page, click Save Changes. 4. To configure one or more role mapping rules (based on the role defined previously), select the Role Mapping tab. External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 12

2.5 Procedure 5: Configure New Juniper Sign-In Page 1. From the Admin console, expand the Authentication menu, point to Signing In, and then click Sign-in Pages. 2. On the Custom text page, enter the following attributes. Welcome message Enter and appropriate salutation, such as Welcome to the. Portal name Enter a meaningful name. This will be what comes after Welcome to the. Submit button Customize if desired. Instructions Enter the text you want the user to see on the sign-in page. Username This is used by the realm to mask the secondary username on the sign-in page. 3. Accept the defaults for all other attributes. External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 13

4. Optional: You can modify Juniper custom sign-in pages to hide the SMS PIN (the activation code). If you do this, then all the users will use the same activation code. For details, call your HID Global Identity Assurance technical contact to obtain a sample page. After you obtain a custom file, you can upload it directly using the Sign-in Pages tab (illustrated next). 5. Click Upload Custom Pages. 6. Enter an appropriate Name, select the Page Type option, Access, and then click the Browse button. External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 14

2.5.1 Examples of Custom Sign-In Pages FIGURE 1: Sample Juniper Sign-In Page Before Customization FIGURE 2: Sample Juniper Sign-In Page After Customization External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 15

2.6 Procedure 6: Juniper Sign-in Policies User sign-in policies also determine the realm(s) that users can access. 1. To create or configure user sign-in policies, in the Admin console, expand the Authentication menu, point to Signing In, and then click Sign-in Policies. 2. To create a new sign-in policy, click New URL. External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 16

3. In the Sign-in URL field that is displayed, enter the URL that you want to associate with the policy. Use the format <host>/<path>, where <host> is the host name of the Secure Access device, and <path> is any string you want users to enter. 4. For Sign-in Page, select the sign-in page that you want to associate with the policy. 5. For Authentication realm, specify which realm(s) map to the policy, and how users should pick from amongst realms. 6. Click Save Changes. 3.0 4TRESS AAA Configuration This chapter describes how to configure the 4TRESS AAA Authentication Server. 3.1 Procedure 1: Configure Juniper Gate A gate for the 4TRESS AAA Server is a group of Network Access Servers (NAS) that is used to simplify administration. For configuration details, refer to 4TRESS AAA Server technical documentation. 1. In the tree in the left pane of the Administration Console, expand the Servers line. 2. Right-click on the server to which you want to add a gate, and click New Gate. 3. Enter a Gate name (can be any string). 4. Select the option, RADIUS, corresponding to the protocol your Juniper uses. 5. Use the Authorized IP addresses and host names section to specify filter(s) for the gate. External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 17

6. Click Add, and then click OK. 7. The 4TRESS AAA Server uses the RADIUS shared secret to encrypt data between Juniper and the 4TRESS AAA authentication server. Click Shared Secret, and then modify the appropriate shared secret for your system (see section 2.2 Procedure 2: Create New RADIUS Authentication Server on page 7). 8. Click OK. External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 18

3.2 Procedure 2: Assigning Group(s) to the Juniper Gate Remember that you must have user groups created and the corresponding LDAP configured. For details, refer to the ActivIdentity 4TRESS AAA Administration Guide. 1. To assign groups to the Juniper Gate, in the tree in the left pane, select the group that you want to assign to the gate. 2. Use the Group / Gate Assignments section of the page to specify gate(s) for the group s users to utilize in order to access a protected resource. 3. Click Add. External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 19

4. Select the Gate, the AZ profile. and the AC profile. 5. Click OK. 3.3 Procedure 3: Create An OOB Delivery Gateway The actual SMS OTP is a random number generated by the Appliance and sent to the end user through a delivery gateway. 1. From the AAA Server Administration Console, select Tools, then click Options. 2. Select the SMS Gateway tab. External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 20

Protocol Select the Protocol to use for sending the SMS to the cell phone. SMS Center Address Enter the IP address or domain name of the SMS Center s server. SMS Center Port Enter the port number for the SMS Center s server. SMS Center Login and SMS Center Password Enter the credentials that the 4TRESS AAA Server uses to authenticate to the SMS. LDAP Settings Define the attribute in the Cell Phone Number LDAP Attribute field. This is the one in which the cell telephone numbers are stored in your organization s LDAP directory. SMS Message Enter the text desired for primary and backup, if needed (for example, Here is your one-time-password:). 3. Click Send a test SMS for the primary gateway, and for the backup, if configured. 4. Click OK. External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 21

5. Add two registry entries to activate the challenge-response mode on the SMS activation code as illustrated next. HKEY_LOCAL_MACHINE\SOFTWARE\ActivCard\ActivPack\ActivPackServerV6 6. Customize the Activation message (that appears in the Juniper page). External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 22

4.0 Assign SMS Token(s) You can assign an SMS Token for use either as a primary authentication method to a single user or to multiple users (bulk assignment). 1. From the 4TRESS AAA Server Administration Console, select the Devices menu, and then click SMS Token. 2. Use the search function to search for the user(s) to whom you want to assign the token(s). To select multiple users, press and hold the Ctrl key and then click selections. 3. Select the user or users from the list, and then click Set. External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 23

5.0 Sample Authentication Using Out-of-Band Authentication 1. The user authenticates to the Juniper Activation Realm with an OOB device (optionally an LDAP password). This depends on Juniper configuration. You can modify this page (the Juniper Custom sign-in page) to hide the SMS PIN (activation code) on the page. In this case, all the users will use the same activation code. Contact your HID Global Identity Assurance technical contact to obtain a sample page. For example: When the user clicks Sign In, the following page will be displayed. External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 24

2. The user receives a one-time-password, enters the password in the Response box, and then clicks Sign In. External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 25

Copyright 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Trademarks HID, the HID logo, ActivID, 4TRESS and/or other HID Global products or marks referenced herein are registered trademarks or trademarks of HID Global Corporation in the United States and/or other countries. The absence of a mark, product, service name or logo from this list does not constitute a waiver of the HID Global trademark or other intellectual property rights concerning that name or logo. The names of actual companies, trademarks, trade names, service marks, images and/or products mentioned herein are the trademarks of their respective owners. Any rights not expressly granted herein are reserved. Revision History Date Author Description Document Version May 2012 Eco-System Workgroup Initial release 2.0 February 2013 Eco-System Workgroup Rebranded for HID Global 2.1 February 2013 Eco-System Workgroup Copyright updated to HID Global 2.2 May 2013 Eco-System Workgroup Copyright updated per IP changes 2.3 External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 26

Americas US Federal Europe Asia Pacific Web +1 510.574.0100 +1 571.522.1000 +33 (0) 1.42.04.84.00 +61 (0) 3.9809.2892 http://www.hidglobal.com/identity-assurance Corporate Headquarters 15370 Barranca Parkway Irvine, CA 92618 www.hidglobal.com +1 949.732.2000 External Release 2012-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback