--- title: Configuring Juniper for PingID multi-factor authentication description: Configure Juniper VPN to work with PingID multi-factor authentication (MFA). component: pingid page_id: pingid:pingid_integrations:pid_configuring_juniper_for_multifactor_authentication canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_configuring_juniper_for_multifactor_authentication.html revdate: June 10, 2024 section_ids: how-it-works: How it works processing-steps: Processing steps adding-a-radius-server: Adding a RADIUS Server steps: Steps result: Result: result-2: Result: adding-a-new-authentication-realm: Adding a New Authentication Realm steps-2: Steps result-3: Result: result-4: Result: result-5: Result: result-6: Result: result-7: Result: configuring-a-signing-in-policy: Configuring a Signing In Policy steps-3: Steps result-8: Result: result-9: Result: examplejuniperdemourl: Example:*/JuniperDemoURL/ result-10: Result: result-11: Result: signing-on: Signing on steps-4: Steps configuring-juniper-as-first-factor-authentication: Configuring Juniper as first factor authentication steps-5: Steps example: Example: --- # Configuring Juniper for PingID multi-factor authentication Configure Juniper VPN to work with PingID multi-factor authentication (MFA). Configuring Juniper for MFA involves the following tasks: * [Adding a RADIUS Server](pid_adding_radius_server.html) * [Adding a New Authentication Realm](pid_adding_new_authentication_realm.html) * [Configuring a Signing In Policy](pid_configuring_signing_in_policy.html) The following video describes the Juniper VPN configuration process. **Video (Video)** <\_images/JuniperVPN\_Brightcove.mp4> ## How it works The following image represents a general flow. The actual configuration varies depending on your organizational infrastructure considerations and policies. ![A flow showing the relationship between Juniper VPN, the RADIUS server, and PingID.](_images/cmi1564020888452.png) ## Processing steps 1. When a user opens their Juniper IPSec or SSL VPN sign-in window and enters a username and password, their details are sent to the RADIUS Server on PingFederate through the VPN RADIUS client. 2. PingFederate authenticates the user's credentials with the LDAP Server as first-factor authentication. 3. Upon LDAP authentication approval, the RADIUS server initiates second-factor authentication with PingID. 4. The RADIUS server returns a response to the Juniper VPN. If authentication is denied or an error occurs, the user's VPN window displays an error message. ## Adding a RADIUS Server To configure Juniper for PingID multi-factor authentication (MFA), you must add a RADIUS server. ### Steps 1. Sign on to Juniper with your administrator ID and password. 2. In the left-hand navigation pane, go to **Authentication → Auth. Servers**. ![A screen capture of the Authentication Servers window showing the New list with the buttons New Server and Delete and a table with a header row that shows Authentication/Authorization Servers, Type, User Record Synchronization, and Logical Auth Server Name. There is a check box column at the left most side. Example servers Administrators and System Local appear as separate entries under the Authentication/Authorization Servers column. Under the Type column, there are two entries for Local Authentication. The columns for User Record Synchronization and Logical Auth Server Name have no entries..The row that contains the System Local entry has a check box in the left most column.](_images/opn1564020863507.png) 3. From the **New** list, select **RADIUS Server**, and then click **New Server**. #### Result: The**New Radius Server** window opens. ![A screen capture of the New Radius Server window. The window includes the Name and NAS-Identifier fields followed by sections for Primary Server and Backup Server. The Primary Server section includes fields for Radius Server, Authentication Port, Shared Secret, Accounting Port, NAS-IP-Address, Timeout, and Retries. There is also a check box option for Users authenticate using tokens or one-time passwords with the note: "If you select this, the device will send the user's authentication method as 'token' if you use SAML, and this credential will not be used in automatic SSO in backend applications. In this screen capture, the Backup Server section includes the specification that it is required only if Backup server exists and fields for Radius Server, Authentication Port, Shared Secret, and Accounting Port."](_images/nst1564020866108.png) 4. In the **New Radius Server** window, enter the following information: 1. In the **Name** field, enter the RADIUS Server name. 2. In the **NAS-Identifier** field, enter the name of the device as known to the RADIUS server. 3. In the **Radius Server** field, enter the DNS name or IP address of the RADIUS server password credential validator (PCV). 4. In the **Authentication Port** field, enter the port configured in the RADIUS server PCV. The default value is `1812`. 5. In the **Shared Secret** field, enter the shared secret configured in the RADIUS server PCV. 6. In the **Accounting Port** field, enter the port used for RADIUS accounting. | | | | - | ------------------------------------------------------ | | | The default value is `1813` and should not be changed. | 7. In the **Timeout** field, enter `60`. The default value is `30`. | | | | - | -------------------------------------------------------------------------------------------------- | | | The **Timeout** field determines the amount of time in seconds before the connection is timed out. | 5. Click **Save Changes**. #### Result: The Custom Radius Rules section is enabled. ![A screen capture of the Custom Radius Rules section.](_images/ujg1564020868445.jpg) 6. Click **New Radius Rule**. The following window is didplayed: ![A screen capture of the Add Custom Radius Rule window showing the configuration details from the previous configuration steps.](_images/pon1564020869349.png) 7. In the **Add Custom Radius Rule** window, enter the following information: 1. In the **Name** field, enter `Offline`. 2. From the **Response Packet Type** list, select **Access Challenge**. This is the default value. 1. Select the **Show Generic Login Page** check box. 8. Click **Save Changes**. ## Adding a New Authentication Realm To configure Juniper for PingID multi-factor authentication (MFA), you must add a new authentication realm. ### Steps 1. In the left-hand navigation pane, go to **Users → User Realms → New**. #### Result: The **New Authentication Realm** window opens. ![A screen capture of the New Authentication Realm window.](_images/oul1564020872743.png) 2. In the **Name** field, enter a name for the Authentication Realm. 3. In the **Servers** section, enter the following information: 1. From the **Authentication** list, select the name of the RADIUS server created in [Adding a RADIUS Server](pid_adding_radius_server.html). 2. From the **User Directory/Attribute** list, select **Same as Above**. 3. From the **Accounting** list, select the name of the RADIUS server created in [Adding a RADIUS Server](pid_adding_radius_server.html). 4. From the **Device Attributes** list, select the default value of **None**. 4. Click **Save Changes**. #### Result: The Authentication Realm is saved and three additional tabs appear. ![A screen capture JuniperDemoRealm window, as configured in the previous step. The screen capture currently shows the Role Mapping tab.](_images/dqt1564020875036.png) 5. On the **Role Mapping** tab, click **New Rule**. #### Result: The **Role Mapping Rule** window opens. ![A screen capture of the Role Mapping Rule window.](_images/wds1564020877035.png) 6. In the **Role Mapping Rule** window, enter the following information: 1. From the **Rule Based On** list, select **Username**. This is the default value. 1. In the **Name** field, enter a name for the rule. 2. In the **\* Rule: If Username…​** section, select **is** from the list, and then enter `*` in the text box. 3. In the **…​Then Assign These Roles** section, select **Users** in the **Available Roles** list, and then click **Add**. #### Result: The **Users** role is added to the **Selected Roles** list. 7. Click **Save Changes**. #### Result: The Authentication Realm is saved. ## Configuring a Signing In Policy To configure Juniper for PingID multi-factor authentication (MFA), you must configure a sign in policy. ### Steps 1. In the left navigation pane, in the **Authentication** section, click **Signing In**. ![A screen capture of the Signing In window, with an arrow highlighting its location in the menu and an arrow pointing to the New URL button.](_images/jok1564020879955.png) #### Result: The **Signing In** window opens. 2. In the **Signing In** window, click **New URL…​**. #### Result: The next section of the **Signing In** window opens. ![A screen capture of the New URL section of the Signing In window. This screen capture shows an example completed configuration.](_images/umh1564020882227.png) 3. In the **User Type** section, click **Users**. 4. In the **Sign-in URL** field, enter the sign-in URL in the format of `//`. #### Example:`*/JuniperDemoURL/` 5. In the **Authentication Realm** section, enter the following information: 1. Click **User Picks from a List of Authentication Realms**. 2. From the **Available Realms** list, select the realm created in [Adding a New Authentication Realm](pid_adding_new_authentication_realm.html), and then click **Add**. The realm is added to the **Selected Realms** list. #### Result: The **Signing In** window is displayed, and the **User URL** list contains the new URL. 6. Click **Save Changes**. 7. From **User URLs** list, select the check box next to the URL you just created. 8. To move the URL to the top of the list, click the **Up Arrow**icon (![zzb1564020885413](_images/zzb1564020885413.png)). ![A screen capture of the Signing In window, demonstrating how to use the up arrow icon to move a URL to the top of the list.](_images/bzy1564020885921.png) 9. Click **Save Changes**. #### Result: The Juniper VPN is now configured to use the PingFederate RADIUS password credential validator (PCV) server. ## Signing on Sign on to your user URL page. ### Steps 1. In a web browser, enter the user URL you previously created in [Configuring a Signing In Policy](pid_configuring_signing_in_policy.html). 2. Authenticate with your username and password. 3. Perform your second-factor authentication using PingID. ## Configuring Juniper as first factor authentication Configure Juniper 8.0 as the first-factor ID provider using LDAP and PingFederate with PingID RADIUS password credential validator (PCV) as the second factor. ### Steps 1. Configure PingFederate with a PingID RADIUS PCV, and leave the **Delegate PCV** section empty. For more information, see [Integration for devices using a RADIUS server](pid_integration_devices_radius_server.html). ![A screen capture of Create Credential Validator Instance window in the PingFederate administrative console.](_images/ocy1564020858119.png) 2. In the Juniper admin portal, create and configure the PingID RADIUS configuration. For more information, see [Configuring Juniper for PingID multi-factor authentication](pid_configuring_juniper_for_multifactor_authentication.html). 3. Go to **Authentication → Authentication Servers**. ![A screen capture of the Authentication Servers window in the Juniper UI.](_images/lcy1564021021870.png) 4. From the **New** drop-down list, select **LDAP Server**, and then click **New Server**. 5. In the **Settings** tab, complete the following fields: 1. In the **Name** field, enter a name for the server. 2. In the **LDAP Server** field, enter the IP address or hostname of the LDAP server. 3. In the **LDAP Port** field, keep the default value of `389`, or change it according to the LDAP configuration. 4. From the **LDAP Server Type** list, select **Active Directory**. 5. From the **Connection** options, keep the default value of `Unencrypted`, or change it to match the LDAP configuration. 6. In the **Connection Timeout** field, enter `30`. 7. In the **Search Timeout** field, enter `90`. 8. Leave all other fields empty. ![A screen capture of the New Authentication Server window in the Juniper UI.](_images/doy1564021024428.png) 6. To confirm that the connection is valid before continuing, click **Test Connection**. 7. In the **Authentication Required?** section, complete the following fields: 1. Select the **Authentication Required to Search LDAP** check box. 2. In the **Admin DN** field, enter the admin DN. For example, `CN=Administrator, CN=Users, DC=Accells, DC=Lab`. 3. In the **Password** field, enter the admin password. ![A screen capture of the Authentication Required? section in the Juniper UI. The Authentication required to search LDAP check box is selected. The Admin DN field shows the example DN: CN=Administrator, CN=Users, DC=Accells, DC=Lab. The Password field shows an obfuscated password example.](_images/jhv1564021026116.png) 8. In the **Finding User Entries** section, complete the following fields: 1. In the **Base DN** field, enter the Base DN. For example, `CN=Users, DC=Accells, DC=Lab`. 2. In the **Filter** field, enter `samaccountname=`. ![A screen capture of the Finding User Entries section in the Juniper UI. The Base DN field shows the example DN: CN=Users, DC=Accells, DC=Lab. The Filter field has an asterisk next to it and shows the value samaccountname=\.](_images/mto1564021027137.png) 9. In the **Determining Group Membership** section, complete the following fields: 1. In the **Base DN** field, enter the Base DN. For example, `CN=Users, DC=Accells, DC=Lab`. 1. In the **Filter** field, enter `CN=` 2. In the **Member Attribute** field, enter `member`. ![A screen capture of the Determining Group Membership section in the Juniper UI. The Base DN field shows the example DN: CN=Users, DC=Accells, DC=Lab. The Filter field shows the value CN=\. The Member Attribute field shows the value member. After the Member Attribute field is a check box for Reverse group search. This check box is not selected. The Query Attribute field is blank. The Nested Group Level field shows a value of 0. The Nested Group Search shows two radio button options for Nested groups in Server Catalog and Search all nested groups. The Nested groups in Server Catalog button is clicked.](_images/trh1564021028217.png) 10. Click **Save Changes**. 11. Go to **Authentication → Signing In → Sign-in Policies**, and ensure that the first entry on the **User URLs** list is `*/`. ![A screen capture of the Sign-in Policies tab in the Juniper UI. There are three URL lists: Administrator URLs, User URLs, and Meeting URLs. In the User URLs list, \*/ is the first entry and has the Authentication Realm for Users.](_images/iei1564021030635.png) | | | | - | ------------------------------------------------------------------- | | | This differs from the instructions in the RADIUS PCV documentation. | 12. Go to **Users → User Realms → Users** and in the **Servers** section, complete the following fields: 1. From the **Authentication** list, choose the LDAP authentication server created earlier. For example, **local\_LDAP**. 1. From the **User Directory/Attribute** list, select **Same as Above**. 2. From the **Accounting** list, select the Juniper RADIUS authentication server created earlier. For example, **PingID\_Radius**. ![A screen capture of the Servers section in the Juniper UI. The Authentication field shows local\_LDAP selected. The User Directory/Attribute field shows Same as Above selected. The Accounting field shows PingID\_Radius selected. The Device Attributes field shows None selected.](_images/wav1564021034006.png) 13. Select the **Additional Authentication Server** check box, and then complete the following fields: 1. From the **Authentication #2** list, select the Juniper RADIUS authentication server created earlier. For example, **PingID\_RADIUS**. 1. In the **Username is:** section, click **Predefined as** and enter ``. 2. In the **Password is:** section, click **Predefined as** and enter ``. 3. Select the **End Session if Authentication Against this Server Fails** check box. ![A screen capture of the Additional Authentication Server section in the Juniper UI. The Authentication #2 field shows PingID\_Radius selected. The Username is section shows two radio button options for specified by user on sign-in page and predefined as. The predefined as button is clicked and the predefined as field shows \. The Pasword is section shows two radio button options for specified by user on sign-in page and predefined as. This section also has a check box for End session if authentication against this server fails. The button for predefined as is clicked and the predefined as field shows \. The End session if authentication against this server fails check box is selected.](_images/mrc1564021035022.png) 14. Click **Save Changes**. 15. To sign on to Juniper while using the Juniper LDAP configuration as the first-factor for authentication, use the default user URL. #### Example: https\://*\*, https\://*\*, or