8/6/2019 Juniper Ssl VPN Sso Bsid

1/11

Copyright 2009 CRYPTOCard Inc. http:// www.cryptocard.com

Implementation Guide for

Juniper SSL VPN SSO with OWA

with

BlackShield ID

8/6/2019 Juniper Ssl VPN Sso Bsid

2/11

BlackShield ID Implementation Guide for Juniper SSL VPN SSO i

Copyright

Copyright 2009, CRYPTOCard All Rights Reserved. No part of this publication may be reproduced,

transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or

by any means without the written permission of CRYPTOCard.

Trademarks

BlackShield ID, BlackShield ID SBE and BlackShield ID Pro are either registered trademarks or

trademarks of CRYPTOCard Inc. All other trademarks and registered trademarks are the property of

their owners.

Additional Information, Assistance, or Comments

CRYPTOCards technical support specialists can provide assistance when planning and implementing

CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication

products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition

from existing access control systems and a satisfying experience for network users. We can also help

you leverage your existing network equipment and systems to maximize your return on investment.

CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you

purchased this product through a CRYPTOCard channel partner, please contact your partner directly

for support needs.

To contact CRYPTOCard directly:

International Voice: +1-613-599-2441

North America Toll Free: 1-800-307-7042

support@cryptocard.com

For information about obtaining a support contract, see our Support Web page at

http://www.cryptocard.com.

Related Documentation

Refer to the Support & Downloads section of the CRYPTOCard website for additional documentation

and interoperability guides: http://www.cryptocard.com.

Publication History

Date Changes Version

April 15, 2009 Document created 1.0

July 9, 2009 Copyright year updated 1.1

October 16, 2009 Minor updates 1.2

mailto:support@cryptocard.comhttp://www.cryptocard.com/http://www.cryptocard.com/http://www.cryptocard.com/http://www.cryptocard.com/mailto:support@cryptocard.com

8/6/2019 Juniper Ssl VPN Sso Bsid

3/11

BlackShield ID Implementation Guide for Juniper SSL VPN SSO ii

Table of Contents

Overview..............................................................................................1Applicability .........................................................................................1Assumptions ........................................................................................1Operation .............................................................................................1Preparation and Prerequisites..............................................................2Configuration .......................................................................................2

Adding the RADIUS Server ............................................................................... 2Troubleshooting...................................................................................8

Failed Logons ................................................................................................. 8Agent Upgrade ..............................................Error! Bookmark not defined.

8/6/2019 Juniper Ssl VPN Sso Bsid

4/11

BlackShield ID implementation guide for Juniper SSL VPN 1

Overview

By default Juniper SSL VPN logons requires that a user provide a correct user name and password to

successfully logon. This document describes the steps necessary to augment this logon mechanism

with strong authentication by adding a requirement to provide a one-time password generated by a

CRYPTOCard token using the implementation instructions below. This document will also describe how

to add SSO for OWA.

Applicability

This integration guide is applicable to:

Security Partner Information

Security Partner Juniper Networks

Product Name and Version SA 700 / 6.2R1 (build 13255)

Protection Category SSL Remote Access

CRYPTOCard Server

Authentication Server BlackShield ID

VersionSmall Business Edition 1.2+

Professional Edition 2.3+

Assumptions

1. BlackShield ID has been installed and configured and a Test user account can be selected in

the Assignment Tab.

2. BlackShield ID NPS IAS Agent has been installed and configured on the NPS IAS Server to

accept RADIUS authentication from the Juniper SSL VPN.

Operation

This document provides step by step instruction on how to configure the Juniper SSL VPN to send

RADIUS authentication to an external RADIUS Server.

8/6/2019 Juniper Ssl VPN Sso Bsid

5/11

BlackShield ID implementation guide for Juniper SSL VPN SSO 2

Preparation and Prerequisites

1. Verify that a Test user account with a static password, can successfully authenticate via the

Juniper SSL VPN

2. Ensure that Ports 1812 UDP and 1813 UDP are open to the NPS / IAS Server

3. The NPS IAS Agent must be configured to use either port 80 or port 443 to send authentication

requests to the BlackShield ID server.

4. Ensure that you add a condition in IAS under Remote Access Policies.

In the Remote Access Policies right click Authenticate to BlackShield and select

Properties.

Click Edit Profile and select the Advanced tab.

Add an Attribute named Filter-Id with the value of CCUser1.

Apply the changes and restart IAS.

5. Create or define a Test account that will be used to verify that the Juniper SSL VPN has been

properly installed and configured. Verify that this account can successfully authenticate using a

standard password before attempting to apply changes and test authentication using a token.

Ensure that the user name for this account exists in BlackShield ID by locating it in the

Assignment Tab.

Configuration

Adding the RADIUS Server

To add a new RADIUS Server, clickAuth Servers.

8/6/2019 Juniper Ssl VPN Sso Bsid

6/11

BlackShield ID implementation guide for Juniper SSL VPN SSO 3

From the dropdown box next to the New:heading, choose "Radius Server", andclick on the "New Server..." button.

Fill in the information for the Primary

CRYPTO-Server in the New RADIUS

Server page.

Note:

Fill the information in the Backup Serversection if there is a SecondaryBlackShield Server.

Check the Users authenticate usingtokens and one-time passwords box andclick on "Save Changes".

A New User Realm must be configured.

Click on User Realm.

Click on Users Authentication Realmsection

8/6/2019 Juniper Ssl VPN Sso Bsid

7/11

BlackShield ID implementation guide for Juniper SSL VPN SSO 4

Select the Role Mapping Tab

Click on New Rule

Beside the Rule based on click on thedrop down menu and select Userattribute.

Then click Update.

In the Name field, enter a name forreference. In this example CC Role Mapwas used.

Select Filter-Id (11) for the attribute, andenter in CCUser1 for the attribute name.

Click Save Changes when finished.

8/6/2019 Juniper Ssl VPN Sso Bsid

8/11

BlackShield ID implementation guide for Juniper SSL VPN SSO 5

In the General tab of the User Realm add

the Active Directory Authentication as the

first server.

Check Additional authentication server and

add the RADIUS authentication.

Beside Username is: check predefined as:

and enter . Do not leave it as

.

Edit the Default Sign-In Page or the page

that you are using so that the Secondary

password reads OTP.

8/6/2019 Juniper Ssl VPN Sso Bsid

9/11

BlackShield ID implementation guide for Juniper SSL VPN SSO 6

In Resource Profiles / Web add a new

Profile for OWA.

Make sure in to add the Users in the Roles

tab.

In the Exchange System Manager uncheck

Enable Forms Based Authentication. The

SSO will not work with Forms Based

Authentication.

Edit the Default Sign-In Page or the page

that you are using so that the Secondary

password reads OTP.

8/6/2019 Juniper Ssl VPN Sso Bsid

10/11

BlackShield ID implementation guide for Juniper SSL VPN SSO 7

Testing CRYPTOCard Authentication

The next step is to test the new configured CRYPTOCard Two Factor Authentication.

Open up a web browser and go tohttp://JuniperSSLVPN.DNS.Name/

Enter in your username, Active

Directory password and a CRYPTOCardgenerated Passcode

Click Sign In

If you successfully authenticate, then the following screen should appear.

http://junipersslvpn.dns.name/http://junipersslvpn.dns.name/

8/6/2019 Juniper Ssl VPN Sso Bsid

11/11

BlackShield ID implementation guide for Juniper SSL VPN SSO 8

Troubleshooting

Failed Logons

Symptom: Login Failed

Indication: 11/19/2008

12:36:49 PM

Henry Authentication Failure 312191514 192.168.21.120 Invalid

OTP

Possible

Causes:

The One Time Password provided for the user is incorrect.

Solution: Attempt to re-authenticate against BlackShield again. If it comes up as invalid OTP again, test

the token out via the BlackShield ID Manager.

Symptom: Login Failed

Indication: 11/19/2008

12:47:24 PM

Henry Authentication Failure 312191514 192.168.21.120 Invalid

PIN

Possible

Causes:

The PIN provided for the user is incorrect.

Solution:

Attempt to re-authenticate against BlackShield again. If it comes up as invalid PIN again,

changing the initial PIN back to default and forcing a PIN change would solve the issue, or have

the user access the BlackShield Self Service page.

Symptom: Login Failed

Indication: 11/19/2008

12:36:49 PM

Henry Authentication Failure 312191514 192.168.21.120 Invalid

OTP

Possible

Causes:

The One Time Password provided for the user is incorrect.

Solution: Attempt to re-authenticate against BlackShield again. If it comes up as invalid OTP again, test

the token out via the BlackShield ID Manager.