DIGIPASS KEY series and smart card series for Juniper SSL VPN

Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 1 of 31

DIGIPASS KEY series and smart

card series for Juniper SSL VPN Authentication

Certificate Based

Integration Guideline


Disclaimer Disclaimer of Warranties and Limitations of Liabilities

This Report is provided on an 'as is' basis, without any other warranties, or conditions.

No part of this publication may be reproduced, stored in a retrieval system, or

transmitted, in any form or by any means, electronic, mechanical, photocopying,

recording, or otherwise, without the prior written permission of VASCO Data Security.

Trademarks

DIGIPASS & VACMAN are registered trademarks of VASCO Data Security. All

trademarks or trade names are the property of their respective owners. VASCO

reserves the right to make changes to specifications at any time and without notice.

The information furnished by VASCO in this document is believed to be accurate and

reliable. However, VASCO may not be held liable for its use, nor for infringement of

patents or other rights of third parties resulting from its use.

Copyright

2011 VASCO Data Security. All rights reserved.


Table of Contents 1 Overview ................................................................................................... 4

2 Problem Description .................................................................................. 4

3 Solution .................................................................................................... 4

4 Technical Concept ..................................................................................... 5

4.1 General overview .................................................................................. 5

4.2 Procedure ............................................................................................. 5

4.3 Prerequisites ......................................................................................... 5

5 Setting up DIGIPASS Juniper Logon.......................................................... 5

5.1 Certificate Authority ............................................................................... 5

5.1.1 Issue the right type of certificates ..................................................... 5

5.1.2 Security groups for enrollment station and agents ............................... 6

5.1.3 Specifying the Enrollment Policy ........................................................ 9

5.2 Enrollment Station ................................................................................11

6 Enrolling Users ........................................................................................ 18

6.1 Requesting certificates ..........................................................................18

7 Download CA Certificate.......................................................................... 21

8 Juniper Configuration ............................................................................. 23

8.1 Import Trusted Client CAs .....................................................................23

8.2 Create an Certificate Server ...................................................................26

8.3 User Realms ........................................................................................27

9 Using the DIGIPASS KEY 200 .................................................................. 28

9.1 Logon using the DIGIPASS KEY 200 ........................................................28

10 About VASCO Data Security .................................................................. 31


1 Overview The Purpose of this document is to demonstrate how to secure your Juniper SSL VPN

login with he DIGIPASS KEY 200. This device let’s you add a certificate and be able to

logon with the right user credentials.

2 Problem Description Today’s business is built around information applications. To ensure business

workflow, productivity and enhancing client relationships, internal network resources

are increasingly been made accessible from anywhere. The weakest link in any

security infrastructure is the use of static passwords. These passwords are easily

stolen, guessed, reused or shared. There is a need for strong user authentication,

based on 2-factors: something you have and something you know.

3 Solution By creating an extra profile in your organization, the Enrollment Agent, It will be

possible to rollout certificates on the DIGIPASS KEY 200 for every user. With the

DIGIPASS KEY 200 it is possible to login to Juniper SSL VPN. This way you create a

safe and easy manageable environment for you and all your users.

Figure 1: DIGIPASS KEY 200

There is also the possibility to use a simple smart Card, allowing as well the rollout of

certificates on the Digipass smart Card. Digipass 905 is VASCO’s smart card reader.

The procedure for configuring the certificates on the card , is identical to the KEY 200

configuration.

Figure 2 : DIGIPASS SMART CARD & DIGIPASS 905


4 Technical Concept 4.1 General overview

The basic working of the Juniper SA is based on authentication to an existing media

(Certificate Authentication, LDAP, RADIUS, local authentication …). To use the

IDENTIKEY with Juniper SA, the external authentication settings need to be changed

or added manually.

After configuring the Juniper SA SSL VPN and insert the user certificate to the

DIGIPASS KEY 200 in the right way, you eliminate the weakest link in any security

infrastructure – the use of static passwords – that are easily stolen guessed, reused or

shared.

The DIGIPASS KEY 200 functionality provides document signing; strong authentication

against PKI enables software systems (operating systems, virtual private networks,

applications); as well as e-mail, file and disk encryption.

4.2 Procedure

To make the DIGIPASS KEY 200 work with the login in Juniper SSL VPN, there are a

few steps that need to be taken. First of all you have to setup a Certificate Authority.

This will be the issuer for the certificate used on the DIGIPASSKEY 200. Next we will

make sure all the correct user rights are set. We will make a new group that will be

responsible for issuing certificates. This will become a powerful group as they can

generate certificates for all domain users, including administrators. Add as last we

have to enroll the users to the DIGIPASS KEY 200 and login to Juniper SSL VPN.

4.3 Prerequisites

The initial prerequisites for setting up DIGIPASS Juniper SSL VPN are:

Active Directory installed on a Windows 2000 or 2003 domain server

A Microsoft Certificate Authority (CA) configured with the Enterprise policy

module. This may be a root or subordinate CA.

Juniper SSL VPN SA appliance

5 Setting up DIGIPASS Juniper Logon

5.1 Certificate Authority

5.1.1 Issue the right type of certificates

Start the Certification Authority Microsoft Management Console (MMC), located in the

Administrative Tools folder on the Enterprise CA.

Open the Certificate Templates (2003) or Policy Settings (2000) folder, and right-

click on this folder. Select New -> Certificate Template to Issue.


Figure 3: Issue the right type of certificates (1)

Select, by holding the CTRL key, The following Items and click OK:

Enrollment Agent

Smartcard User

Figure 4: Issue the right type of certificates (2)

5.1.2 Security groups for enrollment station and agents

Open the Active Directory – Users and Computers from the Administrative Tools folder

on the Domain Controller.

Right-click the User folder and select New -> Group.


Figure 5: Security groups for enrollment station and agents (1)

Fill in a relevant group name (e.g. Enrollment_Group) and click OK.


Now add users to this group that will be able to make certificates for the DIGIPASS

KEY 200.

Caution: Please be aware that these users will become powerful users as they can

create a certificate for any user in your domain, include administrators.

Right-click the group you just created and select properties.


Figure7: Security groups for enrollment station and agents (3)

At the members tab, choose the Add… button.


Select the user you want to add to the group. (E.g. Enrollment Agent)


Figure 9: Security groups for enrollment stations and agents (5)

As you can see below, a computer can also be an Enrollment Agent. You then have to

take care of the physical access to this computer.

Click OK to finish


5.1.3 Specifying the Enrollment Policy

Certificates issued by the CA are based on certificate templates stored in the Active

Directory. The Access Control Lists (ACL) set on these templates determine who (user

and computer) can request what (certificates).

Open the Active Directory – Sites and Services MMC from the Administration Tools

folder on the Domain Controller. If the Service folder is not visible, choose View ->

Show Service Node.

Open Services -> Public Key Services -> Certificate Templates, right click the

Enrollment Agent and select Properties.


Figure 11: Specifying the Enrollment Policy (1)

By clicking the Add… button, add the enrollment group you created before.


Once added, give this group read and enroll permissions. Click OK to finish



Now do the same steps for the Smartcard User template.

5.2 Enrollment Station

To setup your enrollment station you need to install the DIGIPASS KEY 200

Middleware – DIGIPASS CertID.

Login on the Enrollment Station (from any domain computer) with the Enrollment

Agent user. Click the Start -> Run… -> “mmc”.

Choose File -> Add/Remove Snap-in.

Figure 14: Enrollment station (1)


Click the Add… button.

Figure 15: Enrollment Station (2)

Select Certificates and click the Add button.


Choose My user account and press Finish.



Afterwards click the Close button of the Add Standalone Snap-in window.

Click OK to go to the main console window.


At the main console window, right-click the Personal folder and select All Tasks ->

Request New Certificate…



Click Next in the first window of the Certificate Request Wizard.


Choose the Enrollment Agent certificate, check the Advanced checkbox and click

Next.



Choose the Microsoft Enhanced Cryptographic Provide and a key length of 1024

bit. Click Next.


Verify the settings and click Next.



Type in a Friendly name and type a meaningful description. Click Next.


Review all the settings and click Finish if everything is OK.




6 Enrolling Users For enrollment of users, you have the choose Smartcard user.

6.1 Requesting certificates

Open your browser and go to: http://CA-Server/certsrv. (Where CA-Server is the

name of the machine where your CA is installed)

Click Request a certificate.

Figure 26: Requesting certificates (1)

Click the Advanced certificate request link.


Click the request a certificate for a smart card on behalf of another user by

using the smart card certificate enrollment station link.

http://ca-server/certsrv



Select the right Certificate Template, CA and Cryptographic Service Provider

(the VASCO CertID Smart Card Cypto Provider V1.0 CSP in this case).

If you are logged in as the Enrollment Agent, the right Administrator Signing

Certificate should be selected by default. Otherwise you click the Select

Certificate… button.

In the User to Enroll field, you can select the user you want to create a certificate

for. Click the Select User… button and a known wizard will start.


Search the user you want to create a certificate for and click OK.



Now make sure your DIGIPASS KEY 200 is plugged in the USB port, and then

press the Enroll button.


You will be asked for the pin of the DIGIPASS KEY 200 and press OK to continue.

This can take a while. Do not navigate away from this page as long as the process is

busy.



When the certificate is saved on the DIGIPASS KEY 200, you will get a message in the

window stating “The smartcard is ready…”. You now have the possibility to view the

recently created certificate. To do so, press the View Certificate button.


7 Download CA Certificate To use the web site to download a certificate authority (CA) certificate, click on

Download a CA certificate certificate chain or CRL link.

Figure 34: Download CA certificate (1)

Click on Download CA certificate link.



Save the CA certificate to you local drive. (The CA certificate will use later to import to

Juniper SSL VPN.)



8 Juniper Configuration 8.1 Import Trusted Client CAs

Login to the Juniper SSL VPN administrator console, click on Configuration ->

Certificates -> Trusted Client CAs.

Figure 37: Juniper SSL VPN configuration (1)

Click on Import CA Certificate…


Click on Browse~ button.



Choose the certificate which exported early (refer to page 21).


Click on Import Certificate button.


Scroll down and leave default setting.



Click on Save Changes.




8.2 Create an Certificate Server

To create a Certificate Server, click on Auth. Server. In the drop down list of New:,

choose Certificate Server.


Name your Certificate Server.



8.3 User Realms

To link the Certificate Server to the User Realms, click on User Realms and click on

your Realms.


In the Authentication, select the Certificate Server.



9 Using the DIGIPASS KEY 200 9.1 Logon using the DIGIPASS KEY 200

Make sure the DIGIPASS CertID is installed on the client pc. Open an Internet Explore

and enter the Juniper SSL VPN Web Portal URL.

Figure 49: Using the DIGIPASS (1)

A Security Alert will prompt. Click on Yes to accept the SSL certificate.



Select your certificate and click Ok.


Enter your PIN to unlock the DIGIPASS KEY 200.



After the Certificate authentication, you be able to login to your Juniper SSL VPN

Portal.



10 About VASCO Data Security VASCO designs, develops, markets and supports patented Strong User Authentication products for e-Business and e-Commerce.

VASCO’s User Authentication software is carried by the end user on its DIGIPASS products which are small “calculator” hardware devices, or in a

software format on mobile phones, other portable devices, and PC’s.

At the server side, VASCO’s VACMAN products guarantee that only the designated DIGIPASS user gets access to the application.

VASCO’s target markets are the applications and their several hundred million users that utilize fixed password as security.

VASCO’s time-based system generates a “one-time” password that changes with every use, and is virtually impossible to hack or break.

VASCO designs, develops, markets and supports patented user authentication products for the financial world, remote access, e-business and e-commerce. VASCO’s user authentication software is delivered via its DIGIPASS hardware

and software security products. With over 25 million DIGIPASS products sold and delivered, VASCO has established itself as a world-leader for strong User

Authentication with over 500 international financial institutions and almost 3000 blue-chip corporations and governments located in more than 100 countries.

Documents

DIGIPASS KEY series and smart card series for Juniper SSL VPN