Juniper Networks SSL VPN Implementation Guide Copyright Copyright 2006, CRYPTOCard Corp. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard Corp.
Juniper SSL VPN Overview This documentation presents an overview and necessary steps to configure a Juniper SSL VPN for use with CRYPTO-MAS and CRYPTOCard tokens. The Juniper SSL VPN is used to create an encrypted tunnel between hosts. CRYPTO-MAS works in conjunction with the Juniper SSL VPN to replace static passwords with strong two-factor authentication that prevents the use of lost, stolen, shared, or easily guessed passwords when establishing a connection to gain access to protected resources. With CRYPTO-MAS acting as the authentication server for a VPN enabled resource, an authenticated connection sequence would be as follows: 1. The administrator configures the Juniper SSL VPN to use RADIUS Authentication. 2. The incoming RADIUS authentication request is relayed over to the CRYPTO-MAS Server as shown in Figure 1 below. Figure 1 RADIUS authentication request is relayed to the CRYPTO-MAS Server 3. The CRYPTO-MAS Server examines the incoming packet. If the user exists, it then checks the token associated with the user for the expected PIN + One-time password. Juniper Networks SSL VPN Implementation Guide 1
4. Once the PIN + One-time password is verified against the user s token and it is valid, it will then send an access accepted. This is illustrated in Figure 2 below. If the user does not exist, or the PIN + One-time password is incorrect it will send the user an access reject message. Figure 2 The CRYPTO-MAS Server responds with an access accepted or rejected. Juniper Networks SSL VPN Implementation Guide 2
Compatibility For security reasons, and compatibility with CRYPTOCard Authentication, the version of the Juniper SSL VPN must be release 4.2 or higher. Prerequisites The following systems must be verified operational prior to configuring the VPN concentrator to use CRYPTOCard authentication: 1. Verify end users can authenticate through the Juniper SSL VPN with a static password before configuring the concentrator to use CRYPTOCard authentication. 2. Ensure an initialized CRYPTOCard token has been assigned to a CRYPTOCard user. The following CRYPTO-MAS server information is also required: Primary CRYPTO-MAS RADIUS Server Fully Qualified Hostname or IP Address: Secondary CRYPTO-MAS RADIUS Server Fully Qualified Hostname or IP Address (OPTIONAL): CRYPTO-MAS RADIUS Authentication port number: CRYPTO-MAS RADIUS Accounting port number (OPTIONAL): CRYPTO-MAS RADIUS Shared Secret: Juniper Networks SSL VPN Implementation Guide 3
Configuring Juniper SSL VPN In order for the SSL VPN to authenticate CRYPTOCard token users, RADIUS authentication must be enabled. Adding a RADIUS Server Choose Signing In > AAA Servers From the dropdown box next to the New: heading, choose "Radius Server", and click on the "New Server..." button. Fill in the information for the CRYPTO-MAS RADIUS server obtained from the prerequisites section in the New Radius Server page. Fill in information for the Backup CRYPTO-MAS RADIUS Server, if one exists. Check the Users authenticate using tokens and one-time passwords box and click on "Save Changes". Juniper Networks SSL VPN Implementation Guide 4
Under Users > Authentication > 1.Users > General In this setup page set Authentication to the CRYPTO-MAS RADIUS Server. In the Servers section of the General Tab, set Authentication to the CRYPTO-MAS RADIUS Server, and click on "Save Changes". Mapping CRYPTOCard Users to Realms SSL VPN Once the CRYPTO-MAS Server has been added to the SSL VPN setup, you may configure the CRYPTO- Server to map the user to a realm on the IVE. Under User -> Authentication, click local. From the Role Mapping tab, click New Rule to access the Role Mapping Rule page. Define a rule based on a User attribute. Set the attribute to Filter-Id (11), and enter a value that will be used to map CRYPTOCard users to this role. Juniper Networks SSL VPN Implementation Guide 5
Choose the role to assign the user to. Check off Stop processing rules when this rule matches, and click on Save Changes. CRYPTOCard must be notified of the Filter-Id name in order to map the user to the realm. Connect using the SSL VPN client Once the SSL VPN has been configured correctly with correct RADIUS server information, the end-users should be able to connect via browser to access network resources using their CRYPTOCard token. Enter the CRYPTOCard username Generate a One-Time-Password from the CRYPTOCard token Enter the PIN and One-Time-Password together in the password field, and click OK Once the SSL VPN has verified the username and password with the CRYPTO-Server, the connection will be established. Juniper Networks SSL VPN Implementation Guide 6
Solution Overview Summary Product Name Vendor Site Juniper SSL VPN http://www.juniper.net/ Supported Client Software Internet Explorer 6+ Mozilla Firefox 1.5+ Authentication Method RADIUS Authentication Supported RADIUS Functionality for Juniper SSL VPN Connection RADIUS Authentication Encryption PAP Authentication Method MSCHAPv2 One-time password Challenge-response Static Password New PIN Mode User changeable Alphanumeric 4-8 digit PIN User changeable Numeric 4-8 digit PIN Server changeable Alphanumeric 4-8 digit PIN Server changeable Numeric 4-8 digit PIN Trademarks CRYPTOCard, CRYPTO-Server, CRYPTO-Web, CRYPTO-Kit, CRYPTO-Logon, CRYPTO-VPN, CRYPTO-MAS are either registered trademarks or trademarks of CRYPTOCard Corp. Microsoft Windows and Windows XP/2000/2003/NT are registered trademarks of Microsoft Corporation. All other trademarks, trade names, service marks, service names, product names, and images mentioned and/or used herein belong to their respective owners. Publication History Date October 27 th, 2006 November 9 th, 2006 November 29, 2006 Changes Initial Draft Global Draft Minor Revision Juniper Networks SSL VPN Implementation Guide 7