VASCO Digipass, Juniper SSL VPN configuration guide - Orbit One

More documents

Recommendations

Info

1.3. Windows Server 2008 Active DirectoryVASCO Middleware 3.0 cannot be installed on a Windows Server 2008. If all your Active Directoryservers are running Win2008, you need to use server running Windows Server 2003 32bit, thathas joined the 2008 Active Directory domain. Note that this setup has NOT been tested by us,and VASCO support cannot guarantee it will work.>> We will update this document as soon as we have more info.1.4. Some terminology (important!)• Local Authentication: this is the authentication performed by the Vasco Middleware,checking your PIN code and Digipass dynamic code.• Back-End Authentication: this is the authentication performed by Windows ActiveDirectory, checking your username and password.• OTP: One-time password. This is the numeric code that the Digipass device displayswhen you push the button. The code changes every 36 seconds and each code can beused only once.• PIN: a numeric code that the user needs to remember when working with his Digipass.When you deploy the solution you can choose if you want to work with or without PINcode (see later in this document).• Static password: the Active Directory password of the user• Serial number: the serial number on the back of each DigipassOrbit One InternalVASCO Digipass - Configuration with Juniper SA - 4 October 2008 6
2. Digipass deployment strategy2.1. Choose an Authentication methodAn important choice you have to make, is how users will need to authenticate. You have severaloptions:• Username + OTP onlyThis should NOT be used, if someone steals the Digipass, he can authenticate in yournetwork without the need to know any “secret”.• Username + OTP + PINThis is a safe way to authenticate, but it requires people to remember yet another PINcode...• Username + OTP + Active Directory passwordThis is our preferred way of authentication, your users are already familiar withauthentication using username and password. We just add the Digipass OTP to thiswhen they work remotely.• Username + OTP + PIN + Active Directory passwordThis is very safe but a bit overkill.See VACMAN Middleware Product Guide.pdf, page 13 for more information.2.2. Understanding Assignment modesYou need to decide how you will link the Digipass devices to your users.• Manual Assignment (see 5.3)The administrator manually assigns a Digipass device to each user in Active Directory.Then you physically give the Digipass with the correct serial number to the person.• Self-AssignmentYou give each user a Digipass device. You instruct the user how to “activate” his Digipassthe first time he will use it. This is called “self-assignment”.They will need to enter the following string in the password:No PIN = “SERIALNUMBERpasswordOTP”PIN active = “SERIALNUMBERpasswordPINOTPIn this document we use the “self-assignment” mode.See page 48 of the VACMAN Middleware Product Guide.pdf for more info.Orbit One InternalVASCO Digipass - Configuration with Juniper SA - 4 October 2008 7
Page 1 and 2: VASCO DigipassConfiguration with Ju
Page 3 and 4: 6.6. Reset the Digipass Windows Ser
Page 5: 1.2. Requirements• One or more
Page 10 and 11: 3. Prepare Windows serverFollow the
Page 12 and 13: 4. VACMAN MiddlewareFollow the step
Page 14 and 15: 5. Import and assign Digipass token
Page 16 and 17: 5.2. Moving Digipass to other OUWhe
Page 18 and 19: 5.5. Test the Digipass• Open the
Page 20 and 21: 6.3. Create your Policy• Click on
Page 22 and 23: ••• OKOrbit One InternalVASCO
Page 24 and 25: 6.5. Configure the RADIUS ClientA R
Page 26: 6.7.2. Normal authentication (witho
Page 29 and 30: 7.1.2. Digipass Authentication Serv
Page 31 and 32: Set Role Mapping for this Realm•
Page 33 and 34: Copy paste this code in Instruction
Page 35 and 36: 7.4. Set Sign-In Policies7.4.1. Cre
Page 37: 7.5. Test Juniper SA Authentication

VASCO Digipass, Juniper SSL VPN configuration guide - Orbit One

Create successful ePaper yourself

Delete template?

Save as template?