--- title: Configuring Juniper as first factor authentication description: Configure Juniper 8.0 as the first-factor ID provider using LDAP and PingFederate with PingID RADIUS password credential validator (PCV) as the second factor. component: pingid page_id: pingid:pingid_integrations:pid_configuring_juniper_as_first_factor_authentication canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_configuring_juniper_as_first_factor_authentication.html revdate: January 27, 2024 section_ids: steps: Steps example: Example: --- # Configuring Juniper as first factor authentication Configure Juniper 8.0 as the first-factor ID provider using LDAP and PingFederate with PingID RADIUS password credential validator (PCV) as the second factor. ## Steps 1. Configure PingFederate with a PingID RADIUS PCV, and leave the **Delegate PCV** section empty. For more information, see [Integration for devices using a RADIUS server](pid_integration_devices_radius_server.html). ![A screen capture of Create Credential Validator Instance window in the PingFederate administrative console.](_images/ocy1564020858119.png) 2. In the Juniper admin portal, create and configure the PingID RADIUS configuration. For more information, see [Configuring Juniper for PingID multi-factor authentication](pid_configuring_juniper_for_multifactor_authentication.html). 3. Go to **Authentication → Authentication Servers**. ![A screen capture of the Authentication Servers window in the Juniper UI.](_images/lcy1564021021870.png) 4. From the **New** drop-down list, select **LDAP Server**, and then click **New Server**. 5. In the **Settings** tab, complete the following fields: 1. In the **Name** field, enter a name for the server. 2. In the **LDAP Server** field, enter the IP address or hostname of the LDAP server. 3. In the **LDAP Port** field, keep the default value of `389`, or change it according to the LDAP configuration. 4. From the **LDAP Server Type** list, select **Active Directory**. 5. From the **Connection** options, keep the default value of `Unencrypted`, or change it to match the LDAP configuration. 6. In the **Connection Timeout** field, enter `30`. 7. In the **Search Timeout** field, enter `90`. 8. Leave all other fields empty. ![A screen capture of the New Authentication Server window in the Juniper UI.](_images/doy1564021024428.png) 6. To confirm that the connection is valid before continuing, click **Test Connection**. 7. In the **Authentication Required?** section, complete the following fields: 1. Select the **Authentication Required to Search LDAP** check box. 2. In the **Admin DN** field, enter the admin DN. For example, `CN=Administrator, CN=Users, DC=Accells, DC=Lab`. 3. In the **Password** field, enter the admin password. ![A screen capture of the Authentication Required? section in the Juniper UI. The Authentication required to search LDAP check box is selected. The Admin DN field shows the example DN: CN=Administrator, CN=Users, DC=Accells, DC=Lab. The Password field shows an obfuscated password example.](_images/jhv1564021026116.png) 8. In the **Finding User Entries** section, complete the following fields: 1. In the **Base DN** field, enter the Base DN. For example, `CN=Users, DC=Accells, DC=Lab`. 2. In the **Filter** field, enter `samaccountname=`. ![A screen capture of the Finding User Entries section in the Juniper UI. The Base DN field shows the example DN: CN=Users, DC=Accells, DC=Lab. The Filter field has an asterisk next to it and shows the value samaccountname=\.](_images/mto1564021027137.png) 9. In the **Determining Group Membership** section, complete the following fields: 1. In the **Base DN** field, enter the Base DN. For example, `CN=Users, DC=Accells, DC=Lab`. 1. In the **Filter** field, enter `CN=` 2. In the **Member Attribute** field, enter `member`. ![A screen capture of the Determining Group Membership section in the Juniper UI. The Base DN field shows the example DN: CN=Users, DC=Accells, DC=Lab. The Filter field shows the value CN=\. The Member Attribute field shows the value member. After the Member Attribute field is a check box for Reverse group search. This check box is not selected. The Query Attribute field is blank. The Nested Group Level field shows a value of 0. The Nested Group Search shows two radio button options for Nested groups in Server Catalog and Search all nested groups. The Nested groups in Server Catalog button is clicked.](_images/trh1564021028217.png) 10. Click **Save Changes**. 11. Go to **Authentication → Signing In → Sign-in Policies**, and ensure that the first entry on the **User URLs** list is `*/`. ![A screen capture of the Sign-in Policies tab in the Juniper UI. There are three URL lists: Administrator URLs, User URLs, and Meeting URLs. In the User URLs list, \*/ is the first entry and has the Authentication Realm for Users.](_images/iei1564021030635.png) | | | | - | ------------------------------------------------------------------- | | | This differs from the instructions in the RADIUS PCV documentation. | 12. Go to **Users → User Realms → Users** and in the **Servers** section, complete the following fields: 1. From the **Authentication** list, choose the LDAP authentication server created earlier. For example, **local\_LDAP**. 1. From the **User Directory/Attribute** list, select **Same as Above**. 2. From the **Accounting** list, select the Juniper RADIUS authentication server created earlier. For example, **PingID\_Radius**. ![A screen capture of the Servers section in the Juniper UI. The Authentication field shows local\_LDAP selected. The User Directory/Attribute field shows Same as Above selected. The Accounting field shows PingID\_Radius selected. The Device Attributes field shows None selected.](_images/wav1564021034006.png) 13. Select the **Additional Authentication Server** check box, and then complete the following fields: 1. From the **Authentication #2** list, select the Juniper RADIUS authentication server created earlier. For example, **PingID\_RADIUS**. 1. In the **Username is:** section, click **Predefined as** and enter ``. 2. In the **Password is:** section, click **Predefined as** and enter ``. 3. Select the **End Session if Authentication Against this Server Fails** check box. ![A screen capture of the Additional Authentication Server section in the Juniper UI. The Authentication #2 field shows PingID\_Radius selected. The Username is section shows two radio button options for specified by user on sign-in page and predefined as. The predefined as button is clicked and the predefined as field shows \. The Pasword is section shows two radio button options for specified by user on sign-in page and predefined as. This section also has a check box for End session if authentication against this server fails. The button for predefined as is clicked and the predefined as field shows \. The End session if authentication against this server fails check box is selected.](_images/mrc1564021035022.png) 14. Click **Save Changes**. 15. To sign on to Juniper while using the Juniper LDAP configuration as the first-factor for authentication, use the default user URL. ### Example: https\://*\*, https\://*\*, or