Strong Authentication for Juniper Networks

Similar documents
Strong Authentication for Juniper Networks SSL VPN

Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

Strong Authentication for Cisco ASA 5500 Series

Strong Authentication for Microsoft SharePoint

Strong Authentication for Microsoft TS Web / RD Web

LDAP Synchronization Agent Configuration Guide for

Juniper SSL VPN Authentication QUICKStart Guide

BlackShield Authentication Service

Cisco ASA Authentication QUICKStart Guide

SAML Authentication with BlackShield Cloud

BlackShield ID Agent for Remote Web Workplace

Strong Authentication for Microsoft Windows Logon

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

Juniper Networks SSL VPN Implementation Guide

BlackShield ID PRO. Steel Belted RADIUS 6.x. Implementation Guide. Copyright 2008 to present CRYPTOCard Corporation. All Rights Reserved

Implementation Guide for protecting

SafeNet Authentication Service

SafeNet Cisco AnyConnect Client. Configuration Guide

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

HOTPin Integration Guide: DirectAccess

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

BlackShield ID MP Token Guide. for Java Enabled Phones

SafeNet Authentication Service

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

DIGIPASS Authentication for Check Point Connectra

BlackShield ID Best Practice

formerly Help Desk Authority HDAccess Administrator Guide

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Check Point FW-1/VPN-1 NG/FP3

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Integration Guide. SafeNet Authentication Service. VMWare View 5.1

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Agent Configuration Guide

MIGRATION GUIDE. Authentication Server

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Cisco ASA. Implementation Guide. (Version 5.4) Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Getting Started

INTEGRATION GUIDE. DIGIPASS Authentication for VMware Horizon Workspace

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Internet Information Services (IIS)

Remote Logging Agent Configuration Guide

How To Connect Checkpoint To Gemalto Sa Server With A Checkpoint Vpn And Connect To A Check Point Wifi With A Cell Phone Or Ipvvv On A Pc Or Ipa (For A Pbv) On A Micro

FortiAuthenticator Agent for Microsoft IIS/OWA. Install Guide

INTEGRATION GUIDE. DIGIPASS Authentication for F5 FirePass

Defender 5.7. Remote Access User Guide

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

DIGIPASS Authentication for Check Point Security Gateways

Defender Token Deployment System Quick Start Guide

BES10 Self-Service. Version: User Guide

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

DualShield Authentication Platform

INTEGRATION GUIDE. DIGIPASS Authentication for Citrix NetScaler (with AGEE)

Identikey Server Getting Started Guide 3.1

DIGIPASS Authentication for Cisco ASA 5500 Series

Dell One Identity Cloud Access Manager Installation Guide

DIGIPASS Authentication for GajShield GS Series

Defender Delegated Administration. User Guide

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

DualShield. for. Microsoft TMG. Implementation Guide. (Version 5.2) Copyright 2011 Deepnet Security Limited

Installation Guide. SafeNet Authentication Service

Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide

How to integrate RSA ACE Server SecurID Authentication with Juniper Networks Secure Access SSL VPN (SA) with Single Node or Cluster (A/A or A/P)

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Application Note. Citrix Presentation Server through a Citrix Web Interface with OTP only

Apache Server Implementation Guide

AccelPro SSL VPN v3.1.9 AccelPro SSL VPN. End User Installation Guide for Director General Of Hydro Carbon Users

DIGIPASS Authentication for Windows Logon Product Guide 1.1

Azure Multi-Factor Authentication. KEMP LoadMaster and Azure Multi- Factor Authentication. Technical Note

Dell Statistica Statistica Enterprise Installation Instructions

Dell One Identity Cloud Access Manager How to Configure vworkspace Integration

Cisco VPN Concentrator Implementation Guide

INTEGRATION GUIDE. DIGIPASS Authentication for Office 365 using IDENTIKEY Authentication Server with Basic Web Filter

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

Dell One Identity Cloud Access Manager How To Deploy Cloud Access Manager in a Virtual Private Cloud

ESET SECURE AUTHENTICATION. Check Point Software SSL VPN Integration Guide

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

Dell One Identity Cloud Access Manager How to Configure for High Availability

ESET SECURE AUTHENTICATION. SonicWall SSL VPN Integration Guide

Clearview Customer Web Access

Portal Administration. Administrator Guide

Enterprise Self Service Quick start Guide

Contents Notice to Users

Using Microsoft Active Directory Server and IAS Authentication

Web Remote Access. User Guide

DIGIPASS Authentication for SonicWALL SSL-VPN

Security Analytics Engine 1.0. Help Desk User Guide

INTEGRATION GUIDE. General Radius Config

SafeNet Authentication Service

Microsoft IAS and NPS Agent Configuration Guide

RSA Authentication Manager 7.1 Basic Exercises

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Microsoft DirectAccess

ZyWALL OTPv2 Support Notes

formerly Help Desk Authority Upgrade Guide

DIGIPASS as a Service. Google Apps Integration

Transcription:

Strong Authentication for Juniper Networks SSL VPN SSO and OWA with Powerful Authentication Management for Service Providers and Enterprises Authentication Service Delivery Made EASY

Copyright Copyright 2011. CRYPTOCard Inc. All rights reserved. The information contained herein is subject to change without notice. Proprietary Information of CRYPTOCard Inc. Disclaimer The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than CRYPTOCard Inc. While every effort is made to ensure the accuracy of content offered on these pages, CRYPTOCard Inc. shall have no liability for errors, omissions or inadequacies in the content contained herein or for interpretations thereof. Use of this information constitutes acceptance for use in an AS IS condition, without warranties of any kind, and any use of this information is at the user s own risk. No part of this documentation may be reproduced without the prior written permission of the copyright owner. CRYPTOCard Inc. disclaims all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall CRYPTOCard Inc. be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if CRYPTOCard Inc. has been advised of the possibility of such damages. Some provinces, states or countries do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. Links and addresses to Internet resources are inspected thoroughly prior to release, but the everchanging nature of the Internet prevents CRYPTOCard Inc. from guaranteeing the content or existence of the resource. When possible, the reference contains alternate sites or keywords that could be used to acquire the information by other methods. If you find a broken or inappropriate link, please send an email with the topic name, link, and its behaviour to support@cryptocard.com. The software described in this document is furnished under a license and may be used or copied only in accordance with the terms of the license. Trademarks BlackShield ID, CRYPTOCard and the CRYPTOCard logo are trademarks and/or registered trademarks of CRYPTOCard Corp. in Canada and/or other countries. All other goods and/or services mentioned are trademarks of their respective holders. 2

Contact Information CRYPTOCard s technical support specialists can provide assistance when planning and implementing CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment. CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard channel partner, please contact your partner directly for support needs. To contact CRYPTOCard directly: United Kingdom 2430 The Quadrant, Aztec West, Almondsbury, Bristol, BS32 4AQ, U.K. Phone: +44 870 7077 700 Fax: +44 870 70770711 support@cryptocard.com North America 600-340 March Road, Kanata, Ontario, Canada K2K 2E4 Phone: +1 613 599 2441 Fax: +1 613 599 2442 support@cryptocard.com For information about obtaining a support contract, see our Support Web page at http://www.cryptocard.com Overview 3

Overview By default Juniper SSL VPN logons requires that a user provide a correct user name and password to successfully logon. This document describes the steps necessary to augment this logon mechanism with strong authentication by adding a requirement to provide a one-time password generated by a CRYPTOCard token using the implementation instructions below. Applicability This integration guide is applicable to: Security Partner Information Security Partner Juniper Networks Product Name and Version SA 700 / 6.2R1 (build 13255) Protection Category SSL Remote Access Authentication Service Delivery Platform Compatibility Publication History Date Changes Version April 15, 2009 Document created 1.0 July 9, 2009 Copyright year updated 1.1 October 16, 2009 Minor updates 1.2 Overview 4

Preparation and Prerequisites 1. Ensure end users can authenticate through the Juniper SSL VPN with a static password before configuring RADIUS authentication. 2. For BlackShield Server: a. BlackShield ID NPS IAS Agent has been installed and configured on the NPS IAS Server to accept Radius authentication from the Juniper SSL VPN. b. Ensure that Ports 1812 UDP and 1813 UDP are open to the NPS / IAS Server c. The NPS IAS Agent must be configured to use either port 80 or port 443 to send authentication requests to the BlackShield ID server. 3. For BlackShield Cloud: a. Add a RADIUS Auth Node configured to accept authentication requests from the Juniper SSL VPN. 4. For BlackShield Server or BlackShield Cloud: a. Create or define a Test account that will be used to verify that the Juniper SSL VPN has been properly configured. Ensure that the user name for this account exists in BlackShield ID by locating it in the Assignment Tab. b. Verify that the Test user account can successfully authenticate with a static password, to the Juniper SSL VPN before attempting to apply changes and test authentication using a token. c. A Test user account has been created and assigned with a CRYPTOCard token. Preparation and Prerequisites 5

Configuration Configuring Juniper SSL VPN for Two Factor Authentication Log into the Juniper SSL VPN Admin web portal. To add a new Radius Server, click on Auth Servers From the dropdown box, and select "Radius Server" Then click on the "New Server..." button Enter in a Name of the New Radius Server Enter in the IP address or DNS name of the Primary BlackShield ID Radius Server into the Radius Server field Enter in a Shared Secret into the Shared Secret field Place a checkmark in the Users authenticate using tokens and onetime passwords checkbox. Click Save Changes when completed. Optional: If there is a Secondary BlackShield ID Radius Server, please fill in all fields within the Backup Server section. Configuration 6

Click on Users Authentication Realm section Select the Role Mapping Tab Click on New Rule Beside the Rule based on click on the drop down menu and select User attribute. Then click Update. Configuration 7

In the Name field, enter a name for reference. In this example CC Role Map was used. Select Filter-Id (11) for the attribute, and enter in CCUser1 for the attribute name. Click Save Changes when finished. In the General tab of the User Realm add the Active Directory Authentication as the first server. Check Additional authentication server and add the RADIUS authentication. Beside Username is: check predefined as: and enter <USERNAME>. Do not leave it as <USER>. Edit the Default Sign-In Page or the page that you are using so that the Secondary password reads OTP. Configuration 8

In Resource Profiles / Web add a new Profile for OWA. Make sure in to add the Users in the Roles tab. In the Exchange System Manager uncheck Enable Forms Based Authentication. The SSO will not work with Forms Based Authentication. Configuration 9

Edit the Default Sign-In Page or the page that you are using so that the Secondary password reads OTP. Configuration 10

Testing CRYPTOCard Authentication The next step is to test the new configured CRYPTOCard Two Factor Authentication. Open up a web browser and go to http://junipersslvpn.dns.name/ Enter in your username, Active Directory password and a CRYPTOCard generated Passcode Click Sign In If you successfully authenticate, then the following screen should appear. Configuration 11

Failed Logons Symptom: Login Failed Indication: 11/19/2008 12:36:49 PM Henry Authentication Failure 312191514 192.168.21.120 Invalid OTP Possible Causes: Solution: The One Time Password provided for the user is incorrect. Attempt to re-authenticate against BlackShield again. If it comes up as invalid OTP again, test the token out via the BlackShield ID Manager. Symptom: Login Failed Indication: 11/19/2008 12:47:24 PM Henry Authentication Failure 312191514 192.168.21.120 Invalid PIN Possible Causes: Solution: The PIN provided for the user is incorrect. Attempt to re-authenticate against BlackShield again. If it comes up as invalid PIN again, changing the initial PIN back to default and forcing a PIN change would solve the issue, or have the user access the BlackShield Self Service page. Symptom: Login Failed Indication: 11/19/2008 12:36:49 PM Henry Authentication Failure 312191514 192.168.21.120 Invalid OTP Possible Causes: Solution: The One Time Password provided for the user is incorrect. Attempt to re-authenticate against BlackShield again. If it comes up as invalid OTP again, test the token out via the BlackShield ID Manager. Further Information For further information, please visit http://www.cryptocard.com Configuration 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information