Juniper and AAA Server - HID Global

ActivIdentity ® 4TRESS AAA 

Web Tokens 

and Juniper ® Secure Access 

Integration Handbook 

Document Version 2.0 | Released | May 1, 2012

ActivIdentity 4TRESS AAA Web Tokens and Juniper Secure Access | Integration Handbook 

Table of Contents 

List of Figures ............................................................................................................................................................. 3 

1.0 Introduction ....................................................................................................................................................... 4 

1.1 Scope of Document .................................................................................................................................... 4 

1.2 Prerequisites .............................................................................................................................................. 4 

2.0 Juniper Secure Access Configuration ............................................................................................................... 5 

2.1 Procedure 1: Create New LDAP Server Instance ...................................................................................... 5 

2.2 Procedure 2: Create New RADIUS Authentication Server ........................................................................ 7 

2.3 Procedure 3: Define Juniper User Role(s) ................................................................................................. 9 

2.4 Procedure 4: Define Juniper Authentication Realm ................................................................................... 9 

2.5 Procedure 5: Configure New Juniper Sign-In Page ................................................................................. 12 

2.6 Procedure 6: Juniper Sign-in Policies ...................................................................................................... 14 

3.0 ActivIdentity 4TRESS AAA Configuration ....................................................................................................... 16 

3.1 Procedure 1: Configure Juniper Gate ...................................................................................................... 16 

3.2 Procedure 2: Assigning Group(s) to the Juniper Gate ............................................................................. 18 

4.0 Configure for Soft Token Activation ................................................................................................................ 20 

4.1 Procedure 1: Enable Soft Token Activation ............................................................................................. 20 

4.2 Procedure 2: Configure Soft Token Activation Portal .............................................................................. 21 

5.0 Sample Authentication Using Web Soft Token Authentication ....................................................................... 24 

5.1 Prerequisite: User Enrolls Web Token and Computer ............................................................................. 24 

5.2 Scenario 1: Authenticating with Web Soft Token Launched in the Sign-In Page .................................... 26 

5.3 Scenario 2: Authentication with Hidden Web Soft Token Without PIN .................................................... 27 

P 2 

External Use | May 1, 2012 | © 2012 ActivIdentity


List of Figures 

FIGURE 1: Sample Juniper Sign-In Page ............................................................................................................ 12 

P 3 



1.0 Introduction 

The Juniper® Networks SA Series SSL VPN Appliances enable remote and mobile employees, customers, and 

partners to gain secure access to corporate Virtual Private Network resources and applications. Providing secure 

access via a VPN over existing Internet connections requires strong, two-factor authentication to protect 

resources. The ActivIdentity solutions that work with Juniper Networks incorporate SSL VPN solutions with 

versatile, strong authentication that is flexible, scalable, and simple to manage. ActivIdentity offers two solutions: 

• ActivIdentity® 4TRESS AAA Server for Remote Access—Addresses the security risks associated 

with a mobile workforce remotely accessing systems and data. 

• ActivIdentity 4TRESS Authentication Server (AS)—Offers support for multiple authentication 

methods that are useful for diverse audiences across a variety of service channels (SAML, Radius, 

etc.), including user name and password, mobile and PC soft tokens, one-time passwords, and 

transparent Web soft tokens. 

1.1 Scope of Document 

This document explains how to set up ActivIdentity 4TRESS AAA Web token authentication with the Juniper 

Networks Secure Access (SA) Series of appliances. Use this handbook to enable authentication via a Web soft 

token for use with an SSL-protected Juniper VPN. 

1.2 Prerequisites 

• The ActivIdentity 4TRESS AAA Server is up-to-date (v6.7) with LDAP users and groups already 

configured. 

• Juniper SA version 7.1.x installed and configured. 

• The Web soft token is configured to work with or without a PIN. 

• Users have static LDAP passwords for access to the Self Help Desk to enroll web tokens. 

• The Juniper login page has been customized (illustrated in this handbook). 

• The ability to manage double authentication (LDAP, RADIUS) sequentially from the same sign-in 

page on the Juniper network. 

Note: Using Juniper double authentication (an LDAP password plus a one-time password) is optional. 

You can configure the sign-in page so that users do not have to use static LDAP passwords. 

P 4 



2.0 Juniper Secure Access Configuration 

This chapter describes how to manage Juniper Secure Access. When a user signs into a Juniper SA Series 

appliance, the user specifies an authentication realm, which is associated with a specific authentication server. 

The Juniper SA Series appliance forwards the user’s credentials to this authentication server to verify the user’s 

identity. 

You will create two authentication servers: 

• An LDAP Server to validate network passwords, and 

• An ActivIdentity 4TRESS AAA RADIUS Server to validate the user’s one time password generated by 

a Web token. 

2.1 Procedure 1: Create New LDAP Server Instance 

To define the LDAP Server instance, perform the following steps (this will create a new LDAP server instance on 

the SA Series SSL VPN appliance). 

Getting Started 

1. In the Admin 

console, expand the 

Authentication 

menu, and then 

click Auth. Servers. 

2. From the New drop-down list, select LDAP 

Server, and then click New Server. 

The following dialog is displayed. 

P 5 



• Name—Specify a name to identify the server instance. 

• LDAP Server—Specify the name or IP address of the LDAP server that the SA Series SSL 

VPN Appliance uses to validate your users. 

• LDAP Port—Specify the port on which the LDAP server listens. 

• Backup servers and ports—OPTIONAL—Specify parameters for backup LDAP servers. 

• LDAP Server Type—Specify the type of LDAP server against which you want to authenticate 

users. 

• Connection, Connection Timeout, Search Timeout—Accept the defaults. 

3. Click Test Connection to verify the connection between the SA Series SSL VPN appliance and the specified 

LDAP server(s). 

P 6 



4. Select the option, Authentication required to search LDAP and enter the appropriate Admin DN and 

Password. 

5. In the Finding user entries section, specify a Base DN from which to begin searching for user entries, and 

make sure that the Filter is correct (for example: samaccountname=). 

6. At the bottom of the dialog, click Save Changes (not illustrated). 

2.2 Procedure 2: Create New RADIUS Authentication Server 

When using an external RADIUS server to authenticate Juniper SA users, you must configure the server to 

recognize the Juniper SA as a client and specify a shared secret for the RADIUS server to use to authenticate the 

client request. To configure a connection to the RADIUS server on an SA Series SSL VPN appliance, perform the 

following steps. 

Getting Started 

1. In the Admin 

console, expand the 

Authentication 

menu, and then 

click Auth. Servers. 

2. From the New drop-down list, select Radius Server, 

and then click New Server. 

The following dialog is displayed. 

P 7 



3. On the Settings tab, enter the following attributes. 

4. Click Save. 

• Name—Specify a name to identify the server instance. 

• NAS-Identifier—Optional. 

• Radius Server—Specify the name or IP address. 

• Authentication Port—Enter the authentication port value for the RADIUS server. Typically, 

this port is 1812. 

• Shared Secret—Enter a string. You will also enter this string when configuring the RADIUS 

server to recognize the SA Series SSL VPN appliance as a client. 

• Accounting Port—Accept the default,1813. 

• Timeout—Accept the default, 30 seconds. 

• Retries—Accept the default, 0 seconds. 

P 8 



2.3 Procedure 3: Define Juniper User Role(s) 

A user role is an entity that defines user session parameters, personalization settings, and enabled access 

features. 

1. From the Admin console, expand the Users menu, point to User Roles, and then click New User Role. 

2. Configure the new user role according to your requirements. 

2.4 Procedure 4: Define Juniper Authentication Realm 

An authentication realm specifies the conditions that users must meet in order to sign into the SA Series 

appliance. A realm consists of a grouping of authentication resources. 

1. From the Admin console, expand the Users menu, point to User Realms, and then click New User Realm. 

P 9 



2. On the General tab, enter the following attributes, and then select the following options. 

• Name—Enter a name to label this realm. 

• Description—Enter a meaningful description. 

• In the Servers section: 

• Select an option from the Authentication drop-down list to specify an authentication 

server to use for authenticating users who sign in to this realm (for example, the LDAP 

server). 

• Accept the default for Directory/Attribute (Same as above). 

• Accounting—Accept the default, None. 

• To submit secondary user credentials to enable two-factor authentication to access the 

Secure Access device, select the option, Additional authentication server. 

P 10 



• Authentication #2—Select 4TRESS AAA from the drop-down list (the name of the 

authentication server might be different). 

• By default, Secure Access submits the session variable that holds the same 

username used to sign in to the primary authentication server. To automatically submit a 

username to the secondary server, select the option, predefined as. 

• If you want to prompt the user to manually submit a password to the secondary server 

during the Secure Access sign-in process, then select the option, Password is specified 

by user on sign-in page. 

• Select the option, End session if authentication against this server fails. 

3. Click Save Changes (not illustrated). 

4. To configure one or more role mapping rules (based on the role defined previously), select the Role Mapping 

tab. 

P 11 



2.5 Procedure 5: Configure New Juniper Sign-In Page 

PIN usage is dependent on the custom page deployed. It is possible to hide the Web token, and in this case, it’s 

necessary to apply a Web token without PIN. The PIN would be replaced by the user’s LDAP password. 

Please call your ActivIdentity technical contact to obtain a sample page and to discuss possible combinations of 

PIN usage: 

• Username plus LDAP Password plus visible Web token plus PIN plus OTP generated by the Web 

token. 

• Username plus LDAP Password plus visible Web token without PIN plus OTP generated by the Web 

token. 

• Username plus LDAP Password plus hidden Web token without PIN plus OTP generated by the Web 

token hidden in the page. 

• Username plus visible Web token plus PIN plus OTP generated by the Web token. 

FIGURE 1: Sample Juniper Sign-In Page 

After you obtain a custom file, you can upload it directly using the Sign-in Pages tab (illustrated next). 

P 12 



1. From the Admin console, expand the Authentication menu, point to Signing In, and then click Sign-in 

Pages. 

2. Click Upload Custom Pages. 

P 13 



3. Enter an appropriate Name, select the Page Type option, Access, and then click the Browse button. 

4. Locate the custom page file and load it. 

5. Click Save Changes. 

2.6 Procedure 6: Juniper Sign-in Policies 

User sign-in policies also determine the realm(s) that users can access. 

1. To create or configure user sign-in policies, in the Admin console, expand the Authentication menu, point to 

Signing In, and then click Sign-in Policies. 

P 14 



2. To create a new sign-in policy, click New URL. 

3. In the Sign-in URL field that is displayed, enter the URL that you want to associate with the policy. Use the 

format /, where is the host name of the Secure Access device, and is any 

string you want users to enter. 

4. For Sign-in Page, select the sign-in page that you want to associate with the policy. 

5. For Authentication realm, specify which realm(s) map to the policy, and how users should pick from 

amongst realms. 

6. Click Save Changes. 

P 15 



3.0 ActivIdentity 4TRESS AAA Configuration 

This chapter describes how to configure the ActivIdentity 4TRESS AAA Authentication Server. 

3.1 Procedure 1: Configure Juniper Gate 

A gate for the 4TRESS AAA Server is a group of Network Access Servers (NAS) that is used to simplify 

administration. For configuration details, refer to ActivIdentity 4TRESS AAA Server technical documentation. 

1. In the tree in the left pane of the Administration Console, expand the Servers line. 

2. Right-click on the server to which you want to add a gate, and click New Gate. 

3. Enter a Gate name (can be any string). 

4. Select the option, RADIUS, corresponding to the protocol your Juniper uses. 

5. Use the Authorized IP addresses and host names section to specify filter(s) for the gate. 

6. Click Add, and then click OK. 

P 16 



7. The 4TRESS AAA Server uses the RADIUS shared secret to encrypt data between Juniper and the 4TRESS 

AAA authentication server. Click Shared Secret, and then modify the appropropriate shared secret for your 

system (see section 2.2 Procedure 2: Create New RADIUS Authentication Server on page 7). 

8. Click OK. 

P 17 



3.2 Procedure 2: Assigning Group(s) to the Juniper Gate 

Remember that you must have user groups created and the corresponding LDAP configured. For details, refer to 

the ActivIdentity 4TRESS AAA Administration Guide. 

1. To assign groups to the Juniper Gate, in the tree in the left pane, select the group that you want to assign to 

the gate. 

2. Use the Group / Gate Assignments section of the page to specify gate(s) for the group’s users to utilize in 

order to access a protected resource. 

3. Click Add. 

P 18 



4. Select the Gate, the AZ profile. and the AC profile. 

5. Click OK. 

P 19 



4.0 Configure for Soft Token Activation 

4.1 Procedure 1: Enable Soft Token Activation 

1. Launch the ActivIdentity 4TRESS AAA Server Administration Console and log in. 

2. In the pane to the left, select Groups -> All Users. 

3. Select the option, Allow Soft Token activation option (for the corresponding group). 

4. Click Save (not illustrated), and then export the changes to the AAA Server(s). 

P 20 



4.2 Procedure 2: Configure Soft Token Activation Portal 

1. Launch the Web Help Desk Portal. 

2. Select the Login type option, static. 

3. Enter your Login and Password, and then click Login. 

P 21 



4. Select the Configuration tab. 

• Initial PIN—Set the PIN. 

• In the User Search method policy section, select By Groups or queries. 

• In the Device Management section, set the following options and parameters. 

• To activate the device assignment and unassignment functions of the Web Help Desk, 

select the option, Enable device assignment functions. 

• Select the option, Show initial PIN…. 

• To assign the same token to more than one user, select the option, Allow assign 

already assigned tokens. 

• To assign soft tokens, enter the Engine Soft Token init String for each type of soft 

token required. 

• Enter a string in the Engine Web Token init String field. 

Note: For more information about the init strings, refer to the ActivIdentity 4TRESS 

AAA Server Soft Token Solution Guide. 

• For Max number of soft tokens per user, set the maximum number of soft tokens that 

each user can be assigned. 

P 22 



If you do not want to use PIN’s, then apply the following: 

PIN = 1 (Enforced). Soft Token application PIN enforcement policy. 

PIN = 0 (No PIN) 

Note: Depending on the activation code, a soft token forces the PIN. 

For details on PIN usage, see section 2.5 Procedure 5: Configure New Juniper Sign-In Page on page 

12. 

It’s important to select an authentication policy (LDAP password at a minimum). By default, none are selected. 

5. In the Selfdesk portal self binding policy section, select the following options: 

• To activate device self assignment functions, select Enable initial self binding. 

• To activate additional device self assignment functions, select Enable self binding on 

additional device. For this setting to work, you must make sure that the LDAP attribute 

mapped to the device serial numbers is capable of storing multiple values. 

P 23 



5.0 Sample Authentication Using Web Soft Token Authentication 

5.1 Prerequisite: User Enrolls Web Token and Computer 

1. The user launches the Self Help Desk to enroll a Web token and computer. 

2. When prompted, the user selects the LDAP password option, and then enters a username. 

3. The user clicks Activate an additional device. 

P 24 



4. The user clicks Web Token. 

5. The user enters and confirms a PIN and enters a Description (the use has to enter the PIN only if the system 

is configured to ask for it.) A confirmation is displayed. 

Now the user can use the Web token to access a Juniper Realms. 

P 25 



5.2 Scenario 1: Authenticating with Web Soft Token Launched in the Sign-In Page 

Notes about this scenario: 

• You must have customized the Sign-In Page to launch the Web token as an HTML page. To receive 

a sample page, please contact your ActivIdentity technical representative. 

• A user must have activated a Web soft token on his/her computer. 

• You can use a Web token with a PIN or without a PIN. 

• You can use an LDAP password to replace the PIN or to complement it (depending on Juniper 

configuration). 

For details on how authenticating with a Web soft token works, please refer to 4TRESS AAA documentation. 

P 26 



5.3 Scenario 2: Authentication with Hidden Web Soft Token Without PIN 

Notes about this scenario: 

You must have customized the Sign-In page to hide the Web token in the HTML page and to automatically copy 

and paste the one-time password in a hidden field in the HTML page. To receive a sample page, please contact 

your ActivIdentity technical representative. 

• A user must have activated a Web soft token on his/her computer. 

• You can use a Web token without a PIN. 

• You must use an LDAP password to replace the PIN. 

P 27 



Americas +1 510.574.0100 

US Federal +1 571.522.1000 

Europe +33 (0) 1.42.04.84.00 

Asia Pacific +61 (0) 2.6208.4888 

Email info@actividentity.com 

Web www.actividentity.com 

Legal Disclaimer 

ActivIdentity, the ActivIdentity (logo), and/or other ActivIdentity products or marks referenced 

herein are either registered trademarks or trademarks of HID Global Corporation in the United 

States and/or other countries. The absence of a mark, product, service name or logo from this 

list does not constitute a waiver of the trademark or other intellectual property rights concerning 

that name or logo. Juniper Networks and the Juniper Networks logo are registered trademarks 

of Juniper Networks, Inc. in the United States and other countries.The names of other thirdparty 

companies, trademarks, trade names, service marks, images and/or products that 

happened to be mentioned herein are trademarks of their respective owners. Any rights not 

expressly granted herein are reserved. 

P 28

Juniper and AAA Server - HID Global

Create successful ePaper yourself

Delete template?

Save as template?