Implementation Guide for protecting Juniper SSL VPN with ...

Implementation Guide for 

protecting 

Juniper SSL VPN 

with 

BlackShield ID

Copyright 

Copyright © 2011, CRYPTOCard All Rights Reserved. No part of this publication may be reproduced, transmitted, 

transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the 

written permission of CRYPTOCard. 

Trademarks 

BlackShield ID, BlackShield ID SBE and BlackShield ID Pro are either registered trademarks or trademarks of 

CRYPTOCard Inc. All other trademarks and registered trademarks are the property of their owners. 

Additional Information, Assistance, or Comments 

CRYPTOCard’s technical support specialists can provide assistance when planning and implementing CRYPTOCard in 

your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can 

suggest deployment procedures that provide a smooth, simple transition from existing access control systems and a 

satisfying experience for network users. We can also help you leverage your existing network equipment and systems 

to maximize your return on investment. 

CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased 

this product through a CRYPTOCard channel partner, please contact your partner directly for support needs. 

To contact CRYPTOCard directly: 

International Voice: +1-613-599-2441 

North America Toll Free: 1-800-307-7042 

e-mail: support@cryptocard.com 

For information about obtaining a support contract, see our Support Web page at http://www.cryptocard.com. 

Related Documentation 

Refer to the Support & Downloads section of the CRYPTOCard website for additional documentation and 

interoperability guides: http://www.cryptocard.com. 

Publication History 

Date Changes Version 

January 26, 2009 Documented created 1.0 

March 21, 2011 Updated with Filter-Id return attribute, and GrIDsure support 1.1

Table of Content 

Overview ............................................................................................................................... 1 

Applicability .......................................................................................................................... 1 

Assumptions ......................................................................................................................... 2 

Operation .............................................................................................................................. 2 

1. Configuration ................................................................................................................. 3 

1.1. Configuring Juniper SSL VPN for Two Factor Authentication .............................................................. 3 

1.2. Testing CRYPTOCard Authentication ................................................................................................ 5 

2. Advanced Configuration ................................................................................................. 6 

2.1. Adding Filter-Id to a User Realm in Juniper SSL VPN .......................................................................... 6 

2.1.1. Adding Filter-Id attribute to Remote Access Policy (Windows 2003) ........................................................................... 7 

2.1.2. Creating new Network Policy with Filter-Id attribute (Windows 2008) ..................................................................... 10 

3. Juniper SSL VPN and GrIDsure support .......................................................................... 12 

3.1. Prerequisites ................................................................................................................................. 13 

3.2. Adding the BlackShield Self Service URL to the gridsure.js file ......................................................... 13 

3.3. Adding the CRYPTOCard GrIDsure enabled Sign-in page. ................................................................. 13 

3.4. Assigning the CRYPTOCard GrIDsure enabled Sign-in page to a Sign-in Policy. .................................. 13 

3.5. Login as a CRYPTOCard GrIDsure enabled user. ............................................................................... 14 

3.6. Optional - Enabled Challenge-response requests ............................................................................ 14

Overview 

By default Juniper SSL VPN logons requires that a user provide a correct user name and password to successfully 

logon. This document describes the steps necessary to augment this logon mechanism with strong authentication by 

adding a requirement to provide a one-time password generated by a CRYPTOCard token using the implementation 

instructions below. 

Applicability 

This integration guide is applicable to: 

Security Partner Information 

Security Partner 

Juniper Networks 

Product Name and Version SA 700 / 6.2R1 (build 13255) 

Protection Category 

SSL Remote Access 

CRYPTOCard Server 

Authentication Server 

RADIUS Server 

BlackShield ID Sever 2.4 or higher 

BlackShield ID Server 2.7 or higher (GrIDSure support) 

Microsoft Internet Authentication Service (IAS) 

Microsoft Network Policy Server (NPS) 

Juniper Steel Belted RADIUS server 

1

Assumptions 

1. BlackShield ID has been installed and configured. 

2. BlackShield ID NPS IAS Agent has been installed and configured on the NPS IAS Server to accept Radius 

authentication from the Juniper SSL VPN. 

3. Ensure that Ports 1812 UDP and 1813 UDP are open to the NPS / IAS Server 

4. The NPS IAS Agent must be configured to use either port 80 or port 443 to send authentication requests to the 

BlackShield ID server. 

5. Create or define a “Test” account that will be used to verify that the Juniper SSL VPN has been properly 

configured. Ensure that the user name for this account exists in BlackShield ID by locating it in the Assignment 

Tab. 

6. Verify that the “Test” user account can successfully authenticate with a static password, to the Juniper SSL VPN 

before attempting to apply changes and test authentication using a token. 

7. A “Test” user account has been created and assigned with a CRYPTOCard token. 

Operation 

This document provides step by step instruction on how to configure the Juniper SSL VPN to send Radius 

authentication to an external Radius Server. 

2

1. Configuration 

1.1. Configuring Juniper SSL VPN for Two Factor Authentication 

• Log into the Juniper SSL VPN Admin web portal. 

• To add a new Radius Server, click on “Auth 

Servers” 

• From the dropdown box, and select "Radius 

Server" 

• Then click on the "New Server..." button 

• Enter in a Name of the “New Radius Server” 

• Enter in the IP address or DNS name of the 

Primary BlackShield ID Radius Server into the 

“Radius Server” field 

• Enter in a Shared Secret into the “Shared Secret” 

field 

• Place a checkmark in the “Users authenticate 

using tokens and one-time passwords” checkbox. 

• Click “Save Changes” when completed. 

Optional: 

• If there is a Secondary BlackShield ID Radius 

Server, please fill in all fields within the Backup 

Server section. 

NOTE: If the Juniper SSL VPN has other realms created, then please skip the rest of this section and go to 

“Advanced Configuration” section. 

3

After the New Radius Server has been created, the 

Radius Server need to be applied to a User Realm. 

• On the left hand side, select User Realms 

• Select Users 

• Then select General 

Under the Servers section, there will three down fields. 

They are: 

• Authentication 

• Directory/Attribute 

• Accounting 

Change them “Authentication” and “Accounting” to use 

the new Radius Server was just created. 

Change Directory/Attribute to use “Same as above” 

Click “Save Changes” when completed. 

Next is to check the Sign-in Policies section to ensure 

that the default User URL is set to allow all User Realms 

to authenticate. 

Ensure that the Authentication Realm(s) section has say ALL. This means that any User Realms created within the 

Juniper SSL VPN can authenticate to this User URL. 

4

1.2. Testing CRYPTOCard Authentication 

Next step is to test authentication against BlackShield ID via RADIUS with the newly configured Juniper SSL VPN web 

login portal. 

Open up a web browser and go to: 

http://JuniperSSLVPN.DNS.Name/ 

Enter in a username and the One Time Password from a 

CRYPTOCard Token. 

Click “Sign In”. 

If the authentication is successful, the user will see the following screen. 

5

2. Advanced Configuration 

After configuring the Juniper SSL VPN for Radius authentication, the Juniper device may have issues applying the 

proper User Realm to the user that is authenticating. This is due to the RADIUS Server returns an access-accept, but 

the Juniper SSL VPN does not know which role to map to that user. To resolve this issue, a RADIUS Return Attribute 

of Filter-Id is added to the role mapping. 

2.1. Adding Filter-Id to a User Realm in Juniper SSL VPN 

Log into the Juniper SSL VPN Administrative web portal 

• Go down to the “Users” section 

• Highlight “User Realms” 

• Then highlight the User Realm where the Filter- 

Id attribute will be added 

• Finally click on “Role Mapping” 

Under the Role Mapping tab, click on the “New Rule…” 

button. 

In the new Role Mapping Rule webpage please perform 

the following: 

• Under the “rule based on:”, click the dropdown 

menu and select “User attribute” 

• Then click the Update button 

• Under the “Attribute:” section, click the 

dropdown menu and select Filter-Id (11) 

• In the textbox below, type in a name for the 

Filter-Id (eg. Information Technology) 

• Under the “…then assign these roles”, select the 

Role (s) that will be assigned users after a 

successful authentication and the correct Filter- 

Id has been returned to the Juniper SSL VPN 

device. 

• Click “Save Changes” when finished. 

6

Next, check the “Sign-in Policies” section to ensure that 

the default User URL is set to use the User Realm that 

has the Filter-Id added as a Role Mapping. 

Ensure that the Authentication Realm(s) section has only the correct User Realm displayed. This means that that 

User Realms created within the Juniper SSL VPN can authenticate to this User URL. 

2.1.1. Adding Filter-Id attribute to Remote Access Policy (Windows 2003) 

This is section is specifically for adding a Filter-Id attribute to a Remote Access Policy within Windows 2003 Internet 

Authentication Service (IAS). To add a new Network Policy with a Filter-Id in Microsoft Network Policy Server, on 

Windows 2008, please see the next section 2.1.2. 

Open up Microsoft Internet Authentication Service (2003) 

• Select “Remote Access Policies” 

• Right click “Authenticate to BlackShield”, and select 

“Properties” 

7

Perform the following “Authenticate to BlackShield Properties” 

popup: 

• NAS-Port-Type matches “Ethernet” 

• Click the “Remove” button, then click the “Add” button 

• Select “Day-And-Time-Restrictions”, and click “Add” 

• Select the “Permitted” radio button 

• Click “OK”, and then “Apply” 

• In the Authenticate to BlackShield Properties” popup, 

click “Edit Profile…” 

• In the “Edit Dial-in Profile” popup, click the “Advanced” 

tab. 

• Click the “Add” button 

• Select the “Filter-Id”, and then click “Add” 

• In the new pop up, click the “Add” button 

• Another pop up appears. Enter in the Filter-Id value 

that was entered in section 2.1.1. 

• Click “OK” when finished, “OK” again, then click “Close” 

8

The “Advanced” tab will now display the new Filter-Id that has 

been added to this Remote Access Policy. 

• Click “OK”, and then “OK” again when finished. 

• Expand “Connection Request Processing” in IAS 

• Select “Connection Request Policies” 

• Right click on the Policy that was created for 

BlackShield, and select “Properties” 

• In the Authentication tab, select the “Authenticate 

requests on this server” radio button 

• Click “OK” when finished. 

• After all changes have been made, open up Windows 

Services, and restart “Internet Authentication Service”. 

9

2.1.2. Creating new Network Policy with Filter-Id attribute (Windows 2008) 

This is section is specifically for adding a new Network Policy along with a Filter-Id attribute to Network Policy within 

Windows 2008 Network Policy Server (NPS). To add a Filter-Id attribute to a Remote Access Policy in Microsoft 

Internet Authentication Service on Windows 2003, please see the next section 2.1.1. 

• Open up Microsoft Network Policy Server (2008) 

• Expand “Policies” 

• Select “Network Policies” 

• Right click “Network Policies” and select “New” 

• Enter in a name for the new Network Policy 

under the “Policy name” field 

• Ensure “Type of network access server” is set to 

“Unspecified” 

• Click “Next” to continue 

• Click the “Add” button to add a new condition 

• Scroll down and select “Day and Time 

Restrictions”, and Click “Add” 

• Select the “Permitted” radio button, and then 

Click “OK” 

• Click “Next” to continue 

• Select the “Access granted” radio button 

• Click the “Next” button three times 

10

• Click the “Add” button to add a new attribute 

• Select “Filter-Id”, and click “Add” 

• Click the “Add” button, then enter in the Filter- 

Id value that was entered in section 2.1.1 

• Click “OK”, then OK again 

• Click the “Close” button 

• Click “Next” 

• Then click “Finish” to create the New Network 

Policy 

• Select “Connection Request Policies” in NPS 

• Right click on the Policy that was created for 

BlackShield, and select “Properties” 

• Select the “Settings” tab 

• Then select “Authentication” on the left hand 

side 

• On the right hand side, select the “Authenticate 

requests on this server” radio button 

• Click “OK” when finished 

• After all changes have been made, open up 

Windows Services, and restart “Network Policy 

Server” 

11

3. Juniper SSL VPN and GrIDsure support 

The Juniper SSL VPN login page can be configured to authenticate hardware and GrIDsure token users. 

1. The user enters the Juniper SSL VPN URL into their web browser. 

2. The Juniper SSL VPN login page displays a Username and OTP field as well as a Login and Get GrID button. 

3. The user enters their username into the Username field then selects Get Grid. The request is submitted 

from the user’s web browser to the BlackShield Self Service site. 

4. The BlackShield Self Service site displays the user’s GrIDsure Grid within the Juniper SSL VPN login page. 

5. The user enters their GrIDsure password into the OTP field then submits the request. 

6. The Juniper SSL VPN device performs a RADIUS authentication request against the BlackShield server. If the 

CRYPTOCard credentials entered are valid, the user is presented with their Juniper SSL VPN portal 

otherwise, the attempt is rejected. 

12

3.1. Prerequisites 

1. The Juniper SSL VPN device must support uploading custom login pages (Juniper SSL VPN model SA 2500 

or higher). 

2. The BlackShield Self Service Site must be publicly accessible to SSL VPN clients. 

3. The Juniper device must already be configured to perform RADIUS authentication against the BlackShield 

server. 

3.2. Adding the BlackShield Self Service URL to the gridsure.js file 

1. Open gridsure.js with a text editor. 

2. Change the value of gridMakerURL to reflect the location of your BlackShield Self Service website then save 

the file. 

Example: 

• var gridMakerURL = 

"https://www.mycompany.com/blackshieldss/index.aspx?getChallengeImage=true&userName="; 

3.3. Adding the CRYPTOCard GrIDsure enabled Sign-in page. 

1. Login as an administrator to the Juniper device. 

2. Select Authentication, Signing In, Sign-In Pages. 

3. Select the "Upload Custom Pages" button. 

4. In the "Sample Templates Files" section select "Sample". Download sample.zip to a temporary folder. 

5. Rename the sample.zip file to cryptocard.zip. 

6. Add the gridsure.js and LoginPage.thtml file to cryptocard.zip (if prompted, overwrite the existing 

LoginPage.thtml file). 

7. In "Upload Custom Sign-In Pages", enter "CRYPTOCard GrID Enabled" into the Name field and in "Page 

Type" select "Access". In "Templates File" browse to the cryptocard.zip file then select the "Upload Custom 

Pages" button. 

3.4. Assigning the CRYPTOCard GrIDsure enabled Sign-in page to a Sign-in Policy. 


2. Select Authentication, Signing In, Sign-In Policies. 

3. Select the CRYPTOCard authentication enabled "User URL". 

4. In the Sign-in page section, select "CRYPTOCard GrID Enabled" then save the settings. 

13

3.5. Login as a CRYPTOCard GrIDsure enabled user. 

1. Open a web browser and browse to the CRYPTOCard enabled Juniper SSL VPN sign-in page. 

2. Enter the username then select the "Get Grid" button, a grid will appear in the screen. 

3. Enter the PIP into the password field then select Sign-in. 

3.6. Optional - Enabled Challenge-response requests 


2. Select Authentication, Auth. Servers. 

3. Select the CRYPTOCard RADIUS enabled authentication server. 

4. In "Custom Radius Rules" select "New Radius Rule...". 

5. In "Display Name" enter "Display challenges", set "Response Packet Type" to "Access Challenge". In 

"Attribute criteria" set "Radius Attribute" to "Reply-Message(18) with a "Value" of "*". In "Then take 

action..." select "show Generic Login page". 

6. Save the changes. 

14

Implementation Guide for protecting Juniper SSL VPN with ...

Create successful ePaper yourself

Delete template?

Save as template?