Juniper and AAA Server - HID Global
Juniper and AAA Server - HID Global
Juniper and AAA Server - HID Global
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
ActivIdentity ® 4TRESS <strong>AAA</strong><br />
Web Tokens<br />
<strong>and</strong> <strong>Juniper</strong> ® Secure Access<br />
Integration H<strong>and</strong>book<br />
Document Version 2.0 | Released | May 1, 2012
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
Table of Contents<br />
List of Figures ............................................................................................................................................................. 3<br />
1.0 Introduction ....................................................................................................................................................... 4<br />
1.1 Scope of Document .................................................................................................................................... 4<br />
1.2 Prerequisites .............................................................................................................................................. 4<br />
2.0 <strong>Juniper</strong> Secure Access Configuration ............................................................................................................... 5<br />
2.1 Procedure 1: Create New LDAP <strong>Server</strong> Instance ...................................................................................... 5<br />
2.2 Procedure 2: Create New RADIUS Authentication <strong>Server</strong> ........................................................................ 7<br />
2.3 Procedure 3: Define <strong>Juniper</strong> User Role(s) ................................................................................................. 9<br />
2.4 Procedure 4: Define <strong>Juniper</strong> Authentication Realm ................................................................................... 9<br />
2.5 Procedure 5: Configure New <strong>Juniper</strong> Sign-In Page ................................................................................. 12<br />
2.6 Procedure 6: <strong>Juniper</strong> Sign-in Policies ...................................................................................................... 14<br />
3.0 ActivIdentity 4TRESS <strong>AAA</strong> Configuration ....................................................................................................... 16<br />
3.1 Procedure 1: Configure <strong>Juniper</strong> Gate ...................................................................................................... 16<br />
3.2 Procedure 2: Assigning Group(s) to the <strong>Juniper</strong> Gate ............................................................................. 18<br />
4.0 Configure for Soft Token Activation ................................................................................................................ 20<br />
4.1 Procedure 1: Enable Soft Token Activation ............................................................................................. 20<br />
4.2 Procedure 2: Configure Soft Token Activation Portal .............................................................................. 21<br />
5.0 Sample Authentication Using Web Soft Token Authentication ....................................................................... 24<br />
5.1 Prerequisite: User Enrolls Web Token <strong>and</strong> Computer ............................................................................. 24<br />
5.2 Scenario 1: Authenticating with Web Soft Token Launched in the Sign-In Page .................................... 26<br />
5.3 Scenario 2: Authentication with Hidden Web Soft Token Without PIN .................................................... 27<br />
P 2<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
List of Figures<br />
FIGURE 1: Sample <strong>Juniper</strong> Sign-In Page ............................................................................................................ 12<br />
P 3<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
1.0 Introduction<br />
The <strong>Juniper</strong>® Networks SA Series SSL VPN Appliances enable remote <strong>and</strong> mobile employees, customers, <strong>and</strong><br />
partners to gain secure access to corporate Virtual Private Network resources <strong>and</strong> applications. Providing secure<br />
access via a VPN over existing Internet connections requires strong, two-factor authentication to protect<br />
resources. The ActivIdentity solutions that work with <strong>Juniper</strong> Networks incorporate SSL VPN solutions with<br />
versatile, strong authentication that is flexible, scalable, <strong>and</strong> simple to manage. ActivIdentity offers two solutions:<br />
• ActivIdentity® 4TRESS <strong>AAA</strong> <strong>Server</strong> for Remote Access—Addresses the security risks associated<br />
with a mobile workforce remotely accessing systems <strong>and</strong> data.<br />
• ActivIdentity 4TRESS Authentication <strong>Server</strong> (AS)—Offers support for multiple authentication<br />
methods that are useful for diverse audiences across a variety of service channels (SAML, Radius,<br />
etc.), including user name <strong>and</strong> password, mobile <strong>and</strong> PC soft tokens, one-time passwords, <strong>and</strong><br />
transparent Web soft tokens.<br />
1.1 Scope of Document<br />
This document explains how to set up ActivIdentity 4TRESS <strong>AAA</strong> Web token authentication with the <strong>Juniper</strong><br />
Networks Secure Access (SA) Series of appliances. Use this h<strong>and</strong>book to enable authentication via a Web soft<br />
token for use with an SSL-protected <strong>Juniper</strong> VPN.<br />
1.2 Prerequisites<br />
• The ActivIdentity 4TRESS <strong>AAA</strong> <strong>Server</strong> is up-to-date (v6.7) with LDAP users <strong>and</strong> groups already<br />
configured.<br />
• <strong>Juniper</strong> SA version 7.1.x installed <strong>and</strong> configured.<br />
• The Web soft token is configured to work with or without a PIN.<br />
• Users have static LDAP passwords for access to the Self Help Desk to enroll web tokens.<br />
• The <strong>Juniper</strong> login page has been customized (illustrated in this h<strong>and</strong>book).<br />
• The ability to manage double authentication (LDAP, RADIUS) sequentially from the same sign-in<br />
page on the <strong>Juniper</strong> network.<br />
Note: Using <strong>Juniper</strong> double authentication (an LDAP password plus a one-time password) is optional.<br />
You can configure the sign-in page so that users do not have to use static LDAP passwords.<br />
P 4<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
2.0 <strong>Juniper</strong> Secure Access Configuration<br />
This chapter describes how to manage <strong>Juniper</strong> Secure Access. When a user signs into a <strong>Juniper</strong> SA Series<br />
appliance, the user specifies an authentication realm, which is associated with a specific authentication server.<br />
The <strong>Juniper</strong> SA Series appliance forwards the user’s credentials to this authentication server to verify the user’s<br />
identity.<br />
You will create two authentication servers:<br />
• An LDAP <strong>Server</strong> to validate network passwords, <strong>and</strong><br />
• An ActivIdentity 4TRESS <strong>AAA</strong> RADIUS <strong>Server</strong> to validate the user’s one time password generated by<br />
a Web token.<br />
2.1 Procedure 1: Create New LDAP <strong>Server</strong> Instance<br />
To define the LDAP <strong>Server</strong> instance, perform the following steps (this will create a new LDAP server instance on<br />
the SA Series SSL VPN appliance).<br />
Getting Started<br />
1. In the Admin<br />
console, exp<strong>and</strong> the<br />
Authentication<br />
menu, <strong>and</strong> then<br />
click Auth. <strong>Server</strong>s.<br />
2. From the New drop-down list, select LDAP<br />
<strong>Server</strong>, <strong>and</strong> then click New <strong>Server</strong>.<br />
The following dialog is displayed.<br />
P 5<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
• Name—Specify a name to identify the server instance.<br />
• LDAP <strong>Server</strong>—Specify the name or IP address of the LDAP server that the SA Series SSL<br />
VPN Appliance uses to validate your users.<br />
• LDAP Port—Specify the port on which the LDAP server listens.<br />
• Backup servers <strong>and</strong> ports—OPTIONAL—Specify parameters for backup LDAP servers.<br />
• LDAP <strong>Server</strong> Type—Specify the type of LDAP server against which you want to authenticate<br />
users.<br />
• Connection, Connection Timeout, Search Timeout—Accept the defaults.<br />
3. Click Test Connection to verify the connection between the SA Series SSL VPN appliance <strong>and</strong> the specified<br />
LDAP server(s).<br />
P 6<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
4. Select the option, Authentication required to search LDAP <strong>and</strong> enter the appropriate Admin DN <strong>and</strong><br />
Password.<br />
5. In the Finding user entries section, specify a Base DN from which to begin searching for user entries, <strong>and</strong><br />
make sure that the Filter is correct (for example: samaccountname=).<br />
6. At the bottom of the dialog, click Save Changes (not illustrated).<br />
2.2 Procedure 2: Create New RADIUS Authentication <strong>Server</strong><br />
When using an external RADIUS server to authenticate <strong>Juniper</strong> SA users, you must configure the server to<br />
recognize the <strong>Juniper</strong> SA as a client <strong>and</strong> specify a shared secret for the RADIUS server to use to authenticate the<br />
client request. To configure a connection to the RADIUS server on an SA Series SSL VPN appliance, perform the<br />
following steps.<br />
Getting Started<br />
1. In the Admin<br />
console, exp<strong>and</strong> the<br />
Authentication<br />
menu, <strong>and</strong> then<br />
click Auth. <strong>Server</strong>s.<br />
2. From the New drop-down list, select Radius <strong>Server</strong>,<br />
<strong>and</strong> then click New <strong>Server</strong>.<br />
The following dialog is displayed.<br />
P 7<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
3. On the Settings tab, enter the following attributes.<br />
4. Click Save.<br />
• Name—Specify a name to identify the server instance.<br />
• NAS-Identifier—Optional.<br />
• Radius <strong>Server</strong>—Specify the name or IP address.<br />
• Authentication Port—Enter the authentication port value for the RADIUS server. Typically,<br />
this port is 1812.<br />
• Shared Secret—Enter a string. You will also enter this string when configuring the RADIUS<br />
server to recognize the SA Series SSL VPN appliance as a client.<br />
• Accounting Port—Accept the default,1813.<br />
• Timeout—Accept the default, 30 seconds.<br />
• Retries—Accept the default, 0 seconds.<br />
P 8<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
2.3 Procedure 3: Define <strong>Juniper</strong> User Role(s)<br />
A user role is an entity that defines user session parameters, personalization settings, <strong>and</strong> enabled access<br />
features.<br />
1. From the Admin console, exp<strong>and</strong> the Users menu, point to User Roles, <strong>and</strong> then click New User Role.<br />
2. Configure the new user role according to your requirements.<br />
2.4 Procedure 4: Define <strong>Juniper</strong> Authentication Realm<br />
An authentication realm specifies the conditions that users must meet in order to sign into the SA Series<br />
appliance. A realm consists of a grouping of authentication resources.<br />
1. From the Admin console, exp<strong>and</strong> the Users menu, point to User Realms, <strong>and</strong> then click New User Realm.<br />
P 9<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
2. On the General tab, enter the following attributes, <strong>and</strong> then select the following options.<br />
• Name—Enter a name to label this realm.<br />
• Description—Enter a meaningful description.<br />
• In the <strong>Server</strong>s section:<br />
• Select an option from the Authentication drop-down list to specify an authentication<br />
server to use for authenticating users who sign in to this realm (for example, the LDAP<br />
server).<br />
• Accept the default for Directory/Attribute (Same as above).<br />
• Accounting—Accept the default, None.<br />
• To submit secondary user credentials to enable two-factor authentication to access the<br />
Secure Access device, select the option, Additional authentication server.<br />
P 10<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
• Authentication #2—Select 4TRESS <strong>AAA</strong> from the drop-down list (the name of the<br />
authentication server might be different).<br />
• By default, Secure Access submits the session variable that holds the same<br />
username used to sign in to the primary authentication server. To automatically submit a<br />
username to the secondary server, select the option, predefined as.<br />
• If you want to prompt the user to manually submit a password to the secondary server<br />
during the Secure Access sign-in process, then select the option, Password is specified<br />
by user on sign-in page.<br />
• Select the option, End session if authentication against this server fails.<br />
3. Click Save Changes (not illustrated).<br />
4. To configure one or more role mapping rules (based on the role defined previously), select the Role Mapping<br />
tab.<br />
P 11<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
2.5 Procedure 5: Configure New <strong>Juniper</strong> Sign-In Page<br />
PIN usage is dependent on the custom page deployed. It is possible to hide the Web token, <strong>and</strong> in this case, it’s<br />
necessary to apply a Web token without PIN. The PIN would be replaced by the user’s LDAP password.<br />
Please call your ActivIdentity technical contact to obtain a sample page <strong>and</strong> to discuss possible combinations of<br />
PIN usage:<br />
• Username plus LDAP Password plus visible Web token plus PIN plus OTP generated by the Web<br />
token.<br />
• Username plus LDAP Password plus visible Web token without PIN plus OTP generated by the Web<br />
token.<br />
• Username plus LDAP Password plus hidden Web token without PIN plus OTP generated by the Web<br />
token hidden in the page.<br />
• Username plus visible Web token plus PIN plus OTP generated by the Web token.<br />
FIGURE 1: Sample <strong>Juniper</strong> Sign-In Page<br />
After you obtain a custom file, you can upload it directly using the Sign-in Pages tab (illustrated next).<br />
P 12<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
1. From the Admin console, exp<strong>and</strong> the Authentication menu, point to Signing In, <strong>and</strong> then click Sign-in<br />
Pages.<br />
2. Click Upload Custom Pages.<br />
P 13<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
3. Enter an appropriate Name, select the Page Type option, Access, <strong>and</strong> then click the Browse button.<br />
4. Locate the custom page file <strong>and</strong> load it.<br />
5. Click Save Changes.<br />
2.6 Procedure 6: <strong>Juniper</strong> Sign-in Policies<br />
User sign-in policies also determine the realm(s) that users can access.<br />
1. To create or configure user sign-in policies, in the Admin console, exp<strong>and</strong> the Authentication menu, point to<br />
Signing In, <strong>and</strong> then click Sign-in Policies.<br />
P 14<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
2. To create a new sign-in policy, click New URL.<br />
3. In the Sign-in URL field that is displayed, enter the URL that you want to associate with the policy. Use the<br />
format /, where is the host name of the Secure Access device, <strong>and</strong> is any<br />
string you want users to enter.<br />
4. For Sign-in Page, select the sign-in page that you want to associate with the policy.<br />
5. For Authentication realm, specify which realm(s) map to the policy, <strong>and</strong> how users should pick from<br />
amongst realms.<br />
6. Click Save Changes.<br />
P 15<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
3.0 ActivIdentity 4TRESS <strong>AAA</strong> Configuration<br />
This chapter describes how to configure the ActivIdentity 4TRESS <strong>AAA</strong> Authentication <strong>Server</strong>.<br />
3.1 Procedure 1: Configure <strong>Juniper</strong> Gate<br />
A gate for the 4TRESS <strong>AAA</strong> <strong>Server</strong> is a group of Network Access <strong>Server</strong>s (NAS) that is used to simplify<br />
administration. For configuration details, refer to ActivIdentity 4TRESS <strong>AAA</strong> <strong>Server</strong> technical documentation.<br />
1. In the tree in the left pane of the Administration Console, exp<strong>and</strong> the <strong>Server</strong>s line.<br />
2. Right-click on the server to which you want to add a gate, <strong>and</strong> click New Gate.<br />
3. Enter a Gate name (can be any string).<br />
4. Select the option, RADIUS, corresponding to the protocol your <strong>Juniper</strong> uses.<br />
5. Use the Authorized IP addresses <strong>and</strong> host names section to specify filter(s) for the gate.<br />
6. Click Add, <strong>and</strong> then click OK.<br />
P 16<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
7. The 4TRESS <strong>AAA</strong> <strong>Server</strong> uses the RADIUS shared secret to encrypt data between <strong>Juniper</strong> <strong>and</strong> the 4TRESS<br />
<strong>AAA</strong> authentication server. Click Shared Secret, <strong>and</strong> then modify the appropropriate shared secret for your<br />
system (see section 2.2 Procedure 2: Create New RADIUS Authentication <strong>Server</strong> on page 7).<br />
8. Click OK.<br />
P 17<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
3.2 Procedure 2: Assigning Group(s) to the <strong>Juniper</strong> Gate<br />
Remember that you must have user groups created <strong>and</strong> the corresponding LDAP configured. For details, refer to<br />
the ActivIdentity 4TRESS <strong>AAA</strong> Administration Guide.<br />
1. To assign groups to the <strong>Juniper</strong> Gate, in the tree in the left pane, select the group that you want to assign to<br />
the gate.<br />
2. Use the Group / Gate Assignments section of the page to specify gate(s) for the group’s users to utilize in<br />
order to access a protected resource.<br />
3. Click Add.<br />
P 18<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
4. Select the Gate, the AZ profile. <strong>and</strong> the AC profile.<br />
5. Click OK.<br />
P 19<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
4.0 Configure for Soft Token Activation<br />
4.1 Procedure 1: Enable Soft Token Activation<br />
1. Launch the ActivIdentity 4TRESS <strong>AAA</strong> <strong>Server</strong> Administration Console <strong>and</strong> log in.<br />
2. In the pane to the left, select Groups -> All Users.<br />
3. Select the option, Allow Soft Token activation option (for the corresponding group).<br />
4. Click Save (not illustrated), <strong>and</strong> then export the changes to the <strong>AAA</strong> <strong>Server</strong>(s).<br />
P 20<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
4.2 Procedure 2: Configure Soft Token Activation Portal<br />
1. Launch the Web Help Desk Portal.<br />
2. Select the Login type option, static.<br />
3. Enter your Login <strong>and</strong> Password, <strong>and</strong> then click Login.<br />
P 21<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
4. Select the Configuration tab.<br />
• Initial PIN—Set the PIN.<br />
• In the User Search method policy section, select By Groups or queries.<br />
• In the Device Management section, set the following options <strong>and</strong> parameters.<br />
• To activate the device assignment <strong>and</strong> unassignment functions of the Web Help Desk,<br />
select the option, Enable device assignment functions.<br />
• Select the option, Show initial PIN….<br />
• To assign the same token to more than one user, select the option, Allow assign<br />
already assigned tokens.<br />
• To assign soft tokens, enter the Engine Soft Token init String for each type of soft<br />
token required.<br />
• Enter a string in the Engine Web Token init String field.<br />
Note: For more information about the init strings, refer to the ActivIdentity 4TRESS<br />
<strong>AAA</strong> <strong>Server</strong> Soft Token Solution Guide.<br />
• For Max number of soft tokens per user, set the maximum number of soft tokens that<br />
each user can be assigned.<br />
P 22<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
If you do not want to use PIN’s, then apply the following:<br />
PIN = 1 (Enforced). Soft Token application PIN enforcement policy.<br />
PIN = 0 (No PIN)<br />
Note: Depending on the activation code, a soft token forces the PIN.<br />
For details on PIN usage, see section 2.5 Procedure 5: Configure New <strong>Juniper</strong> Sign-In Page on page<br />
12.<br />
It’s important to select an authentication policy (LDAP password at a minimum). By default, none are selected.<br />
5. In the Selfdesk portal self binding policy section, select the following options:<br />
• To activate device self assignment functions, select Enable initial self binding.<br />
• To activate additional device self assignment functions, select Enable self binding on<br />
additional device. For this setting to work, you must make sure that the LDAP attribute<br />
mapped to the device serial numbers is capable of storing multiple values.<br />
P 23<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
5.0 Sample Authentication Using Web Soft Token Authentication<br />
5.1 Prerequisite: User Enrolls Web Token <strong>and</strong> Computer<br />
1. The user launches the Self Help Desk to enroll a Web token <strong>and</strong> computer.<br />
2. When prompted, the user selects the LDAP password option, <strong>and</strong> then enters a username.<br />
3. The user clicks Activate an additional device.<br />
P 24<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
4. The user clicks Web Token.<br />
5. The user enters <strong>and</strong> confirms a PIN <strong>and</strong> enters a Description (the use has to enter the PIN only if the system<br />
is configured to ask for it.) A confirmation is displayed.<br />
Now the user can use the Web token to access a <strong>Juniper</strong> Realms.<br />
P 25<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
5.2 Scenario 1: Authenticating with Web Soft Token Launched in the Sign-In Page<br />
Notes about this scenario:<br />
• You must have customized the Sign-In Page to launch the Web token as an HTML page. To receive<br />
a sample page, please contact your ActivIdentity technical representative.<br />
• A user must have activated a Web soft token on his/her computer.<br />
• You can use a Web token with a PIN or without a PIN.<br />
• You can use an LDAP password to replace the PIN or to complement it (depending on <strong>Juniper</strong><br />
configuration).<br />
For details on how authenticating with a Web soft token works, please refer to 4TRESS <strong>AAA</strong> documentation.<br />
P 26<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
5.3 Scenario 2: Authentication with Hidden Web Soft Token Without PIN<br />
Notes about this scenario:<br />
You must have customized the Sign-In page to hide the Web token in the HTML page <strong>and</strong> to automatically copy<br />
<strong>and</strong> paste the one-time password in a hidden field in the HTML page. To receive a sample page, please contact<br />
your ActivIdentity technical representative.<br />
• A user must have activated a Web soft token on his/her computer.<br />
• You can use a Web token without a PIN.<br />
• You must use an LDAP password to replace the PIN.<br />
P 27<br />
External Use | May 1, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS <strong>AAA</strong> Web Tokens <strong>and</strong> <strong>Juniper</strong> Secure Access | Integration H<strong>and</strong>book<br />
Americas +1 510.574.0100<br />
US Federal +1 571.522.1000<br />
Europe +33 (0) 1.42.04.84.00<br />
Asia Pacific +61 (0) 2.6208.4888<br />
Email info@actividentity.com<br />
Web www.actividentity.com<br />
Legal Disclaimer<br />
ActivIdentity, the ActivIdentity (logo), <strong>and</strong>/or other ActivIdentity products or marks referenced<br />
herein are either registered trademarks or trademarks of <strong>HID</strong> <strong>Global</strong> Corporation in the United<br />
States <strong>and</strong>/or other countries. The absence of a mark, product, service name or logo from this<br />
list does not constitute a waiver of the trademark or other intellectual property rights concerning<br />
that name or logo. <strong>Juniper</strong> Networks <strong>and</strong> the <strong>Juniper</strong> Networks logo are registered trademarks<br />
of <strong>Juniper</strong> Networks, Inc. in the United States <strong>and</strong> other countries.The names of other thirdparty<br />
companies, trademarks, trade names, service marks, images <strong>and</strong>/or products that<br />
happened to be mentioned herein are trademarks of their respective owners. Any rights not<br />
expressly granted herein are reserved.<br />
P 28<br />
External Use | May 1, 2012 | © 2012 ActivIdentity