Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 1
Juniper SA SSL VPN Implementation Guide
(Version 5.4)
Copyright 2011
Deepnet Security Limited
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 2
Trademarks
Deepnet Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID,
SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp
are trademarks of Deepnet Security Limited. All other brand names and product names
are trademarks or registered trademarks of their respective owners.
Copyrights
Under the international copyright law, neither the Deepnet Security software or
documentation may be copied, reproduced, translated or reduced to any electronic
medium or machine readable form, in whole or in part, without the prior written consent
of Deepnet Security.
Licence Conditions
Please read your licence agreement with Deepnet carefully and make sure you
understand the exact terms of usage. In particular, for which projects, on which
platforms and at which sites, you are allowed to use the product. You are not allowed to
make any modifications to the product. If you feel the need for any modifications, please
contact Deepnet Security.
Disclaimer
This document is provided “as is” without warranty of any kind, either expressed or
implied, including, but not limited to, the implied warranties of merchantability, fitness
for a particular purpose, or non-infringement.
This document could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein; these changes will be incorporated in new
editions of the document. Deepnet Security may make improvements of and/or changes
to the product described in this document at any time.
Contact
If you wish to obtain further information on this product or any other Deepnet Security
products, you are always welcome to contact us.
Deepnet Security Limited
Northway House
1379 High Road
London N20 9LP
United Kingdom
Tel: +44(0)20 8343 9663
Fax: +44(0)20 8446 3182
Web: www.deepnetsecurity.com
Email: [email protected]
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 3
Table of Contents
Overview ......................................................................................... 4
RADIUS ........................................................................................... 5
Create a RADIUS logon procedure ........................................................................ 5
Create a RADIUS application................................................................................ 6
Register the Juniper SA as a Radius client ............................................................. 7
Register the DualShield RADIUS server ................................................................. 8
Test Authentication ............................................................................................ 9
DualShield as the only Auth Server ................................................................................................. 9
DualShield as the second Auth Server ............................................................................................12
Challenge & Response ..................................................................................................................13
SAML 2.0 ....................................................................................... 17
Create a SSO logon procedure ........................................................................... 17
Create a SAML application ................................................................................. 18
Download IdP Metadata .................................................................................... 19
Download IdP Certificate ................................................................................... 19
Import IdP Metadata ........................................................................................ 20
Create a SAML Authentication Server .................................................................. 20
Download & Import SP Metadata ........................................................................ 22
Test Authentication .......................................................................................... 22
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 4
Overview
This implementation guide describes how to integrate Juniper SA SSL VPN appliance with
the DualShield unified authentication platform in order to add two-factor authentication
into the SSL VPN login process.
Juniper SA supports external authentication servers including both RADIUS and SAML.
DualShield unified authentication platform includes a fully compliant RADIUS server as
well as a SAML 2.0 compliant Single Sign-On (SSO) server. Therefore, Juniper SA can be
configured to work with the DualShield Radius server or DualShield SSO server,
depending on the customers’ requirements. If a customer requires only OTP and ODP
(One-Time Password and On-Demand Password) authentication, then RADIUS can
deliver those authentication methods. If a customer also requires other authentication
methods such as keystroke biometrics, device DNA or ODP with a more user-friendly
logon interface, then the customer must implement the SAML solution.
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 5
RADIUS
Prior to configuring Juniper SA for two-factor authentication, you must have the
DualShield Authentication Server and DualShield Radius Server installed and operating.
For the installation, configuration and administration of DualShield Authentication and
Radius servers please refer to the following documents:
• DualShield Authentication Platform – Installation Guide
• DualShield Authentication Platform – Quick Start Guide
• DualShield Authentication Platform – Administration Guide
• DualShield Radius Server - Installation Guide
You also need to have a RADIUS application created in the DualShield authentication
server. The application will be used for the two-factor authentication in Juniper SA. The
document below provides general instructions for RADIUS authentication with the
DualShield Radius Server:
VPN & RADIUS - Implementation Guide
Following outlines the key steps:
In DualShield
1. Create a logon procedure for RADIUS authentication 2. Create an RADIUS application for Juniper SA 3. Register the Juniper SA as a RADIUS client
In Juniper SA
1. Register the DualShield RADIUS authentication server
Create a RADIUS logon procedure
1. Login to the DualShield management console 2. In the main menu, select “Authentication | Logon Procedure” 3. Click the “Create” button on the toolbar 4. Enter “Name” and select “RADIUS” as the Type
5. Click “Save” 6. Click the Context Menu icon of the newly create logon procedure, select “Logon
Steps”
7. In the popup windows, click the “Create” button on the toolbar
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 6
8. Select the desired authentication method, e.g. “Static Password + One-Time Password”
9. Click “Save”
Create a RADIUS application
1. In the main menu, select “Authentication | Applications” 2. Click the “Create” button on the toolbar 3. Enter “Name” 4. Select “Realm” 5. Select the logon procedure that was just created
6. Click “Save” 7. Click the context menu of the newly created application, select “Agent”
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 7
8. Select the DualShield Radius server, e.g. ”Local Radius Server” 9. Click “Save” 10. Click the context menu of the newly created application, select “Self Test”
Register the Juniper SA as a Radius client
1. In the main menu, select “RADIUS | Clients” 2. Click the “Register” button on the toolbar
3. Select the application that was created in the previous steps
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 8
4. Enter Juniper SA’s IP in the IP address 5. Enter the Shared Secret which will be used in Juniper. 6. Click “Save”
Register the DualShield RADIUS server
Log into the Juniper SA Administrator Console. The administrator console can be reached
via a web browser, e.g. https://juniper.deepnetlabs.com/admin
1. Click “Auth.Servers” in the “Authentication” section
2. Select “Radius Server” in the dropdown list, and click “New Server” 3. Populate the fields
Name a label for the DualShield RADIUS server
Radius Server IP address or the FQDN of the DualShield RADIUS server
Authentication Port Authentication Port of the DualShield RADIUS server
Accounting Port Accounting port of the the DualShield RADIUS server
Share Secret The Shared Secret set up in the DualShield Radius client
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 9
Test Authentication
To test the RADIUS authentication, you can create a new User Realm in the Juniper SA
or change an existing realm. There are two options for configuring the authentication
servers for the User Realm:
1) Use the DualShield Radius server as the only authentication server 2) Use the DualShield Radius server as the second authentication server
DualShield as the only Auth Server
When the DualShield Radius server is used as the only authentication server, typically
you would configure the DualShield to authenticate both the user’s AD password (Static
Password) and the user’s token password (One-Time Password). The logon procedure in
DualShield would have one step with the combination of the Static Password and One-
Time Password (and/or On-Demand Password).
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 10
You will also need to define its Role Mapping, e.g.
And create a new Signing URL:
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 11
Launch your web browser and navigate to the URL, e.g.
https://juniper.deepnetest32.com/saml
Enter your username and the password in the form that was defined in your login
procedure, e.g. “static password +one-time password”.
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 12
DualShield as the second Auth Server
You can configure Juniper SA to use the DualShield Radius server as the second
authentication server. In this case, typically you would use your AD/LDAP as the first
authentication server.
1. Edit your User Realm
Set the DualShield Radius server as the second authentication server.
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 13
At logon, Juniper SA will present a logon form with a user name, password and the
secondary password:
Challenge & Response
If you are planning to deploy the On-Demand Password authentication solution using the
T-Pass authenticator, then the recommended implementation is to use Radius challenge
and response. The user experience in the login process is shown below:
1) Users will be first asked to enter their user name and AD password.
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 14
2) The user name and password will be submitted to the DualShield server to be verified. When the DualShield has successfully verified the user and its password, it
will generate an one-time password and send it to the user by SMS or email.
3) The user will then be asked to enter an one-time password:
To implement Radius Challenge & Response, you need to edit the Radius server and add
a new Radius rule.
1. Select “Auth Server” and select the DualShield Radius server entry you have created. Scroll down to the “Custom Radius Rules”:
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 15
2. Select “New Radius Rule”, and populate the form below:
3. Click “Save Changes”
4. Use the DualShield Radius server as the only authentication server in the User Realm
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 16
5. In the DualShield management console, you must create a logon procedure with two logon steps as below:
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 17
SAML 2.0
DualShield unified authentication platform includes a SAML 2.0 compliant Single Sign-On
(SSO) server which can be easily integrated with Juniper SA to provide two-factor
authentication. Prior to configuring Juniper SA, you must have the DualShield
Authentication Server and DualShield SSO Server installed and operating (both are
installed by default in the installation of the platform). For the installation, configuration
and administration of DualShield Authentication and SSO servers please refer to the
following documents:
• DualShield Authentication Platform – Installation Guide
• DualShield Authentication Platform – Quick Start Guide
• DualShield Authentication Platform – Administration Guide
Following outlines the key steps:
In DualShield
1. Create a logon procedure for SSO authentication 2. Create a SAML application for Juniper SA 3. Download IdP Metadata 4. Download IdP Certificate
In Juniper SA
1. Import IdP Metadata 2. Create a SAML authentication server 3. Download & Import SP Metadata
Create a SSO logon procedure
1. Login to the DualShield management console 2. In the main menu, select “Authentication | Logon Procedure” 3. Click the “Create” button on the toolbar 4. Enter “Name” and select “Web SSO” as the Type
5. Click “Save” 6. Click the Context Menu icon of the newly create logon procedure, select “Logon
Steps”
7. In the popup windows, click the “Create” button on the toolbar 8. Select the desired authentication methods, e.g. “Static Password” 9. Click “Save” 10. Repeat step 7 - 9 to add more logon steps if desired, e.g. “One-Time Password”
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 18
11. Click “Close”
Create a SAML application
1. In the main menu, select “Authentication | Applications” 2. Click the “Create” button on the toolbar 3. Enter “Name” 4. Select “Realm” 5. Select the logon procedure that was just created
6. Click “Save” 7. Click the context menu of the newly created application, select “Agent”
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 19
8. Select “ SSO Server” 9. Click “Save” 10. Click the context menu of the newly created application, select “Self Test”
Download IdP Metadata
1. Select “SSO | SSO Servers” 2. Click the context menu icon of the SSO server and select “Download Metadata”
3. Save the metadata file onto your hard disk
Download IdP Certificate
1. Click the context menu icon of the SSO server and select “Download IdP Certificate”
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 20
2. Save the certificate file onto your hard disk
Import IdP Metadata
Log into your Juniper SA Management Console.
1. Select “Configuration” in the “System”section 2. Select the “SAML” tab 3. Click “New Metadata Provider”
Enter the Name
Select “Local”
Click “Choose File” to select the
IdP Metadata file downloaded &
save in the previous step
Select “Accept Unsigned
Metadata”
Click “Choose File” to select the
IdP Certificate file downloaded
& save in the previous step
Select “Identity Provider”
Create a SAML Authentication Server
1. Click “Auth.Servers” in the “Authentication” section 2. Select “SAML Server” in the dropdown list, and click “New Server”
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 21
3. Populate the fields
4. Click “Save Changes”
We need to make some changes to the newly created SAML server.
5. Change the “Configuration Mode” to “Manual”
6. Append “?DASApplicationName=[Application Name]” to the end of “Identity Provider Single Sign On Service URL”
Where [Application Name] is the name of the application that you created in
DualShield for the Juniper SA.
7. Append “?DASApplicationName=[Application Name]” to the end of “Single Logout Service URL”
8. Upload the IdP certificate
9. Click “Save Changes”
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 22
Download & Import SP Metadata
In the Juniper SA management console, open the newly created SAML authentication
server.
1. Click “Download Metadata” 2. Save it to your hard disk 3. Open the file in a text editor 4. Copy the entire content to the clipboard
In the DualShield management console, select “SSO | SSO Servers”. In the context
menu of the SSO server, select “Service Providers”
1. Click “Create” on the toolbar
2. Enter “Name” and paste the metadata content in the clipboard into the “Metadata” field.
3. Click “Save”
Test Authentication
To test the SAML authentication, you can create a new User Realm in the Juniper SA or
change an existing realm, and use the DualShield SSO as its authentication server:
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 23
You will also need to define its Role Mapping, e.g.
And create a new Signing URL:
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 24
Implementation Guide Juniper SA SSL VPN
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 25
Launch your web browser and navigate to the URL, e.g.
https://juniper.deepnetest32.com/saml
You’ll immediately redirected to the DualShield SSO logon server:
Once you have been successfully authenticated by the DualShield SSO server, you’ll be
redirected back to the Juniper SA: