PingID Administration Guide

Configuring Juniper as first factor authentication

Configure Juniper 8.0 as the first-factor ID provider using LDAP and PingFederate with PingID RADIUS password credential validator (PCV) as the second factor.

Steps

  1. Configure PingFederate with a PingID RADIUS PCV, and leave the Delegate PCV section empty.

    For more information, see Integration for devices using a RADIUS server.

    A screen capture of Create Credential Validator Instance window in the PingFederate administrative console.

  2. In the Juniper admin portal, create and configure the PingID RADIUS configuration.

    For more information, see Configuring Juniper for PingID multi-factor authentication.

  3. Go to Authentication → Authentication Servers. A screen capture of the Authentication Servers window in the Juniper UI.

  4. From the New drop-down list, select LDAP Server, and then click New Server.

  5. In the Settings tab, complete the following fields:

    1. In the Name field, enter a name for the server.

    2. In the LDAP Server field, enter the IP address or hostname of the LDAP server.

    3. In the LDAP Port field, keep the default value of 389, or change it according to the LDAP configuration.

    4. From the LDAP Server Type list, select Active Directory.

    5. From the Connection options, keep the default value of Unencrypted, or change it to match the LDAP configuration.

    6. In the Connection Timeout field, enter 30.

    7. In the Search Timeout field, enter 90.

    8. Leave all other fields empty.

      A screen capture of the New Authentication Server window in the Juniper UI.

  6. To confirm that the connection is valid before continuing, click Test Connection.

  7. In the Authentication Required? section, complete the following fields:

    1. Select the Authentication Required to Search LDAP check box.

    2. In the Admin DN field, enter the admin DN.

      For example, CN=Administrator, CN=Users, DC=Accells, DC=Lab.

    3. In the Password field, enter the admin password.

      A screen capture of the Authentication Required? section in the Juniper UI. The Authentication required to search LDAP check box is selected. The Admin DN field shows the example DN: CN=Administrator, CN=Users, DC=Accells, DC=Lab. The Password field shows an obfuscated password example.

  8. In the Finding User Entries section, complete the following fields:

    1. In the Base DN field, enter the Base DN.

      For example, CN=Users, DC=Accells, DC=Lab.

    2. In the Filter field, enter samaccountname=<USER>.

      A screen capture of the Finding User Entries section in the Juniper UI. The Base DN field shows the example DN: CN=Users, DC=Accells, DC=Lab. The Filter field has an asterisk next to it and shows the value samaccountname=<USER>.

  9. In the Determining Group Membership section, complete the following fields:

    1. In the Base DN field, enter the Base DN.

    For example, CN=Users, DC=Accells, DC=Lab.

    1. In the Filter field, enter CN=<GROUPNAME>

    2. In the Member Attribute field, enter member.

      A screen capture of the Determining Group Membership section in the Juniper UI. The Base DN field shows the example DN: CN=Users, DC=Accells, DC=Lab. The Filter field shows the value CN=<GROUPNAME>. The Member Attribute field shows the value member. After the Member Attribute field is a check box for Reverse group search. This check box is not selected. The Query Attribute field is blank. The Nested Group Level field shows a value of 0. The Nested Group Search shows two radio button options for Nested groups in Server Catalog and Search all nested groups. The Nested groups in Server Catalog button is clicked.

  10. Click Save Changes.

  11. Go to Authentication → Signing In → Sign-in Policies, and ensure that the first entry on the User URLs list is */. A screen capture of the Sign-in Policies tab in the Juniper UI. There are three URL lists: Administrator URLs, User URLs, and Meeting URLs. In the User URLs list, */ is the first entry and has the Authentication Realm for Users.

    This differs from the instructions in the RADIUS PCV documentation.

  12. Go to Users → User Realms → Users and in the Servers section, complete the following fields:

    1. From the Authentication list, choose the LDAP authentication server created earlier.

    For example, local_LDAP.

    1. From the User Directory/Attribute list, select Same as Above.

    2. From the Accounting list, select the Juniper RADIUS authentication server created earlier.

      For example, PingID_Radius.

      A screen capture of the Servers section in the Juniper UI. The Authentication field shows local_LDAP selected. The User Directory/Attribute field shows Same as Above selected. The Accounting field shows PingID_Radius selected. The Device Attributes field shows None selected.

  13. Select the Additional Authentication Server check box, and then complete the following fields:

    1. From the Authentication #2 list, select the Juniper RADIUS authentication server created earlier.

    For example, PingID_RADIUS.

    1. In the Username is: section, click Predefined as and enter <USERNAME>.

    2. In the Password is: section, click Predefined as and enter <PASSWORD>.

    3. Select the End Session if Authentication Against this Server Fails check box.

      A screen capture of the Additional Authentication Server section in the Juniper UI. The Authentication #2 field shows PingID_Radius selected. The Username is section shows two radio button options for specified by user on sign-in page and predefined as. The predefined as button is clicked and the predefined as field shows <USERNAME>. The Pasword is section shows two radio button options for specified by user on sign-in page and predefined as. This section also has a check box for End session if authentication against this server fails. The button for predefined as is clicked and the predefined as field shows <PASSWORD>. The End session if authentication against this server fails check box is selected.

  14. Click Save Changes.

  15. To sign on to Juniper while using the Juniper LDAP configuration as the first-factor for authentication, use the default user URL.

    Example:

    https://<juniper IP>, https://<juniper hostname>, or https://10.8.1.240/