Juniper SA SSL VPN - Implementation Guide · Implementation Guide Juniper SA SSL VPN Copyright © 2011, Deepnet Security. All Rights Reserved. Page 2 Trademarks Deepnet Unified Authentication,

Implementation Guide Juniper SA SSL VPN

Copyright © 2011, Deepnet Security. All Rights Reserved. Page 1

Juniper SA SSL VPN Implementation Guide

(Version 5.4)

Copyright 2011

Deepnet Security Limited



Trademarks

Deepnet Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID,

SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp

are trademarks of Deepnet Security Limited. All other brand names and product names

are trademarks or registered trademarks of their respective owners.

Copyrights

Under the international copyright law, neither the Deepnet Security software or

documentation may be copied, reproduced, translated or reduced to any electronic

medium or machine readable form, in whole or in part, without the prior written consent

of Deepnet Security.

Licence Conditions

Please read your licence agreement with Deepnet carefully and make sure you

understand the exact terms of usage. In particular, for which projects, on which

platforms and at which sites, you are allowed to use the product. You are not allowed to

make any modifications to the product. If you feel the need for any modifications, please

contact Deepnet Security.

Disclaimer

This document is provided “as is” without warranty of any kind, either expressed or

implied, including, but not limited to, the implied warranties of merchantability, fitness

for a particular purpose, or non-infringement.

This document could include technical inaccuracies or typographical errors. Changes are

periodically made to the information herein; these changes will be incorporated in new

editions of the document. Deepnet Security may make improvements of and/or changes

to the product described in this document at any time.

Contact

If you wish to obtain further information on this product or any other Deepnet Security

products, you are always welcome to contact us.

Deepnet Security Limited

Northway House

1379 High Road

London N20 9LP

United Kingdom

Tel: +44(0)20 8343 9663

Fax: +44(0)20 8446 3182

Web: www.deepnetsecurity.com

Email: [email protected]



Table of Contents

Overview ......................................................................................... 4

RADIUS ........................................................................................... 5

Create a RADIUS logon procedure ........................................................................ 5

Create a RADIUS application................................................................................ 6

Register the Juniper SA as a Radius client ............................................................. 7

Register the DualShield RADIUS server ................................................................. 8

Test Authentication ............................................................................................ 9

DualShield as the only Auth Server ................................................................................................. 9

DualShield as the second Auth Server ............................................................................................12

Challenge & Response ..................................................................................................................13

SAML 2.0 ....................................................................................... 17

Create a SSO logon procedure ........................................................................... 17

Create a SAML application ................................................................................. 18

Download IdP Metadata .................................................................................... 19

Download IdP Certificate ................................................................................... 19

Import IdP Metadata ........................................................................................ 20

Create a SAML Authentication Server .................................................................. 20

Download & Import SP Metadata ........................................................................ 22

Test Authentication .......................................................................................... 22



Overview

This implementation guide describes how to integrate Juniper SA SSL VPN appliance with

the DualShield unified authentication platform in order to add two-factor authentication

into the SSL VPN login process.

Juniper SA supports external authentication servers including both RADIUS and SAML.

DualShield unified authentication platform includes a fully compliant RADIUS server as

well as a SAML 2.0 compliant Single Sign-On (SSO) server. Therefore, Juniper SA can be

configured to work with the DualShield Radius server or DualShield SSO server,

depending on the customers’ requirements. If a customer requires only OTP and ODP

(One-Time Password and On-Demand Password) authentication, then RADIUS can

deliver those authentication methods. If a customer also requires other authentication

methods such as keystroke biometrics, device DNA or ODP with a more user-friendly

logon interface, then the customer must implement the SAML solution.



RADIUS

Prior to configuring Juniper SA for two-factor authentication, you must have the

DualShield Authentication Server and DualShield Radius Server installed and operating.

For the installation, configuration and administration of DualShield Authentication and

Radius servers please refer to the following documents:

• DualShield Authentication Platform – Installation Guide

• DualShield Authentication Platform – Quick Start Guide

• DualShield Authentication Platform – Administration Guide

• DualShield Radius Server - Installation Guide

You also need to have a RADIUS application created in the DualShield authentication

server. The application will be used for the two-factor authentication in Juniper SA. The

document below provides general instructions for RADIUS authentication with the

DualShield Radius Server:

VPN & RADIUS - Implementation Guide

Following outlines the key steps:

In DualShield

1. Create a logon procedure for RADIUS authentication 2. Create an RADIUS application for Juniper SA 3. Register the Juniper SA as a RADIUS client

In Juniper SA

1. Register the DualShield RADIUS authentication server

Create a RADIUS logon procedure

1. Login to the DualShield management console 2. In the main menu, select “Authentication | Logon Procedure” 3. Click the “Create” button on the toolbar 4. Enter “Name” and select “RADIUS” as the Type

5. Click “Save” 6. Click the Context Menu icon of the newly create logon procedure, select “Logon

Steps”

7. In the popup windows, click the “Create” button on the toolbar



8. Select the desired authentication method, e.g. “Static Password + One-Time Password”

9. Click “Save”

Create a RADIUS application

1. In the main menu, select “Authentication | Applications” 2. Click the “Create” button on the toolbar 3. Enter “Name” 4. Select “Realm” 5. Select the logon procedure that was just created

6. Click “Save” 7. Click the context menu of the newly created application, select “Agent”



8. Select the DualShield Radius server, e.g. ”Local Radius Server” 9. Click “Save” 10. Click the context menu of the newly created application, select “Self Test”

Register the Juniper SA as a Radius client

1. In the main menu, select “RADIUS | Clients” 2. Click the “Register” button on the toolbar

3. Select the application that was created in the previous steps



4. Enter Juniper SA’s IP in the IP address 5. Enter the Shared Secret which will be used in Juniper. 6. Click “Save”

Register the DualShield RADIUS server

Log into the Juniper SA Administrator Console. The administrator console can be reached

via a web browser, e.g. https://juniper.deepnetlabs.com/admin

1. Click “Auth.Servers” in the “Authentication” section

2. Select “Radius Server” in the dropdown list, and click “New Server” 3. Populate the fields

Name a label for the DualShield RADIUS server

Radius Server IP address or the FQDN of the DualShield RADIUS server

Authentication Port Authentication Port of the DualShield RADIUS server

Accounting Port Accounting port of the the DualShield RADIUS server

Share Secret The Shared Secret set up in the DualShield Radius client



Test Authentication

To test the RADIUS authentication, you can create a new User Realm in the Juniper SA

or change an existing realm. There are two options for configuring the authentication

servers for the User Realm:

1) Use the DualShield Radius server as the only authentication server 2) Use the DualShield Radius server as the second authentication server

DualShield as the only Auth Server

When the DualShield Radius server is used as the only authentication server, typically

you would configure the DualShield to authenticate both the user’s AD password (Static

Password) and the user’s token password (One-Time Password). The logon procedure in

DualShield would have one step with the combination of the Static Password and One-

Time Password (and/or On-Demand Password).



You will also need to define its Role Mapping, e.g.

And create a new Signing URL:



Launch your web browser and navigate to the URL, e.g.

https://juniper.deepnetest32.com/saml

Enter your username and the password in the form that was defined in your login

procedure, e.g. “static password +one-time password”.



DualShield as the second Auth Server

You can configure Juniper SA to use the DualShield Radius server as the second

authentication server. In this case, typically you would use your AD/LDAP as the first

authentication server.

1. Edit your User Realm

Set the DualShield Radius server as the second authentication server.



At logon, Juniper SA will present a logon form with a user name, password and the

secondary password:

Challenge & Response

If you are planning to deploy the On-Demand Password authentication solution using the

T-Pass authenticator, then the recommended implementation is to use Radius challenge

and response. The user experience in the login process is shown below:

1) Users will be first asked to enter their user name and AD password.



2) The user name and password will be submitted to the DualShield server to be verified. When the DualShield has successfully verified the user and its password, it

will generate an one-time password and send it to the user by SMS or email.

3) The user will then be asked to enter an one-time password:

To implement Radius Challenge & Response, you need to edit the Radius server and add

a new Radius rule.

1. Select “Auth Server” and select the DualShield Radius server entry you have created. Scroll down to the “Custom Radius Rules”:



2. Select “New Radius Rule”, and populate the form below:

3. Click “Save Changes”

4. Use the DualShield Radius server as the only authentication server in the User Realm



5. In the DualShield management console, you must create a logon procedure with two logon steps as below:



SAML 2.0

DualShield unified authentication platform includes a SAML 2.0 compliant Single Sign-On

(SSO) server which can be easily integrated with Juniper SA to provide two-factor

authentication. Prior to configuring Juniper SA, you must have the DualShield

Authentication Server and DualShield SSO Server installed and operating (both are

installed by default in the installation of the platform). For the installation, configuration

and administration of DualShield Authentication and SSO servers please refer to the

following documents:

• DualShield Authentication Platform – Installation Guide

• DualShield Authentication Platform – Quick Start Guide

• DualShield Authentication Platform – Administration Guide

Following outlines the key steps:

In DualShield

1. Create a logon procedure for SSO authentication 2. Create a SAML application for Juniper SA 3. Download IdP Metadata 4. Download IdP Certificate

In Juniper SA

1. Import IdP Metadata 2. Create a SAML authentication server 3. Download & Import SP Metadata

Create a SSO logon procedure

1. Login to the DualShield management console 2. In the main menu, select “Authentication | Logon Procedure” 3. Click the “Create” button on the toolbar 4. Enter “Name” and select “Web SSO” as the Type

5. Click “Save” 6. Click the Context Menu icon of the newly create logon procedure, select “Logon

Steps”

7. In the popup windows, click the “Create” button on the toolbar 8. Select the desired authentication methods, e.g. “Static Password” 9. Click “Save” 10. Repeat step 7 - 9 to add more logon steps if desired, e.g. “One-Time Password”



11. Click “Close”

Create a SAML application

1. In the main menu, select “Authentication | Applications” 2. Click the “Create” button on the toolbar 3. Enter “Name” 4. Select “Realm” 5. Select the logon procedure that was just created

6. Click “Save” 7. Click the context menu of the newly created application, select “Agent”



8. Select “ SSO Server” 9. Click “Save” 10. Click the context menu of the newly created application, select “Self Test”

Download IdP Metadata

1. Select “SSO | SSO Servers” 2. Click the context menu icon of the SSO server and select “Download Metadata”

3. Save the metadata file onto your hard disk

Download IdP Certificate

1. Click the context menu icon of the SSO server and select “Download IdP Certificate”



2. Save the certificate file onto your hard disk

Import IdP Metadata

Log into your Juniper SA Management Console.

1. Select “Configuration” in the “System”section 2. Select the “SAML” tab 3. Click “New Metadata Provider”

Enter the Name

Select “Local”

Click “Choose File” to select the

IdP Metadata file downloaded &

save in the previous step

Select “Accept Unsigned

Metadata”

Click “Choose File” to select the

IdP Certificate file downloaded

& save in the previous step

Select “Identity Provider”

Create a SAML Authentication Server

1. Click “Auth.Servers” in the “Authentication” section 2. Select “SAML Server” in the dropdown list, and click “New Server”



3. Populate the fields


We need to make some changes to the newly created SAML server.

5. Change the “Configuration Mode” to “Manual”

6. Append “?DASApplicationName=[Application Name]” to the end of “Identity Provider Single Sign On Service URL”

Where [Application Name] is the name of the application that you created in

DualShield for the Juniper SA.

7. Append “?DASApplicationName=[Application Name]” to the end of “Single Logout Service URL”

8. Upload the IdP certificate




Download & Import SP Metadata

In the Juniper SA management console, open the newly created SAML authentication

server.

1. Click “Download Metadata” 2. Save it to your hard disk 3. Open the file in a text editor 4. Copy the entire content to the clipboard

In the DualShield management console, select “SSO | SSO Servers”. In the context

menu of the SSO server, select “Service Providers”

1. Click “Create” on the toolbar

2. Enter “Name” and paste the metadata content in the clipboard into the “Metadata” field.

3. Click “Save”

Test Authentication

To test the SAML authentication, you can create a new User Realm in the Juniper SA or

change an existing realm, and use the DualShield SSO as its authentication server:



You will also need to define its Role Mapping, e.g.

And create a new Signing URL:





Launch your web browser and navigate to the URL, e.g.

https://juniper.deepnetest32.com/saml

You’ll immediately redirected to the DualShield SSO logon server:

Once you have been successfully authenticated by the DualShield SSO server, you’ll be

redirected back to the Juniper SA:

Documents

Juniper SA SSL VPN - Implementation Guide · Implementation Guide Juniper SA SSL VPN Copyright © 2011, Deepnet Security. All Rights Reserved. Page 2 Trademarks Deepnet Unified Authentication,