PingID Administration Guide

Configuring Juniper for PingID multi-factor authentication

Configure Juniper VPN to work with PingID multi-factor authentication (MFA).

Configuring Juniper for MFA involves the following tasks:

The following video describes the Juniper VPN configuration process.

How it works

The following image represents a general flow. The actual configuration varies depending on your organizational infrastructure considerations and policies.

A flow showing the relationship between Juniper VPN, the RADIUS server, and PingID.

Processing steps

  1. When a user opens their Juniper IPSec or SSL VPN sign-in window and enters a username and password, their details are sent to the RADIUS Server on PingFederate through the VPN RADIUS client.

  2. PingFederate authenticates the user’s credentials with the LDAP Server as first-factor authentication.

  3. Upon LDAP authentication approval, the RADIUS server initiates second-factor authentication with PingID.

  4. The RADIUS server returns a response to the Juniper VPN. If authentication is denied or an error occurs, the user’s VPN window displays an error message.

Adding a RADIUS Server

To configure Juniper for PingID multi-factor authentication (MFA), you must add a RADIUS server.

Steps

  1. Sign on to Juniper with your administrator ID and password.

  2. In the left-hand navigation pane, go to Authentication → Auth. Servers.

    A screen capture of the Authentication Servers window showing the New list with the buttons New Server and Delete and a table with a header row that shows Authentication/Authorization Servers, Type, User Record Synchronization, and Logical Auth Server Name. There is a check box column at the left most side. Example servers Administrators and System Local appear as separate entries under the Authentication/Authorization Servers column. Under the Type column, there are two entries for Local Authentication. The columns for User Record Synchronization and Logical Auth Server Name have no entries..The row that contains the System Local entry has a check box in the left most column.

  3. From the New list, select RADIUS Server, and then click New Server.

    Result:

    TheNew Radius Server window opens.

    A screen capture of the New Radius Server window. The window includes the Name and NAS-Identifier fields followed by sections for Primary Server and Backup Server. The Primary Server section includes fields for Radius Server, Authentication Port, Shared Secret, Accounting Port, NAS-IP-Address, Timeout, and Retries. There is also a check box option for Users authenticate using tokens or one-time passwords with the note:

  4. In the New Radius Server window, enter the following information:

    1. In the Name field, enter the RADIUS Server name.

    2. In the NAS-Identifier field, enter the name of the device as known to the RADIUS server.

    3. In the Radius Server field, enter the DNS name or IP address of the RADIUS server password credential validator (PCV).

    4. In the Authentication Port field, enter the port configured in the RADIUS server PCV. The default value is 1812.

    5. In the Shared Secret field, enter the shared secret configured in the RADIUS server PCV.

    6. In the Accounting Port field, enter the port used for RADIUS accounting.

      The default value is 1813 and should not be changed.

    7. In the Timeout field, enter 60.

      The default value is 30.

      The Timeout field determines the amount of time in seconds before the connection is timed out.

  5. Click Save Changes.

    Result:

    The Custom Radius Rules section is enabled.

    A screen capture of the Custom Radius Rules section.

  6. Click New Radius Rule.

    The following window is didplayed:

    A screen capture of the Add Custom Radius Rule window showing the configuration details from the previous configuration steps.

  7. In the Add Custom Radius Rule window, enter the following information:

    1. In the Name field, enter Offline.

    2. From the Response Packet Type list, select Access Challenge.

    This is the default value.

    1. Select the Show Generic Login Page check box.

  8. Click Save Changes.

Adding a New Authentication Realm

To configure Juniper for PingID multi-factor authentication (MFA), you must add a new authentication realm.

Steps

  1. In the left-hand navigation pane, go to Users → User Realms → New.

    Result:

    The New Authentication Realm window opens.

    A screen capture of the New Authentication Realm window.

  2. In the Name field, enter a name for the Authentication Realm.

  3. In the Servers section, enter the following information:

    1. From the Authentication list, select the name of the RADIUS server created in Adding a RADIUS Server.

    2. From the User Directory/Attribute list, select Same as Above.

    3. From the Accounting list, select the name of the RADIUS server created in Adding a RADIUS Server.

    4. From the Device Attributes list, select the default value of None.

  4. Click Save Changes.

    Result:

    The Authentication Realm is saved and three additional tabs appear.

    A screen capture JuniperDemoRealm window, as configured in the previous step. The screen capture currently shows the Role Mapping tab.

  5. On the Role Mapping tab, click New Rule.

    Result:

    The Role Mapping Rule window opens.

    A screen capture of the Role Mapping Rule window.

  6. In the Role Mapping Rule window, enter the following information:

    1. From the Rule Based On list, select Username.

    This is the default value.

    1. In the Name field, enter a name for the rule.

    2. In the * Rule: If Username…​ section, select is from the list, and then enter * in the text box.

    3. In the …​Then Assign These Roles section, select Users in the Available Roles list, and then click Add.

      Result:

      The Users role is added to the Selected Roles list.

  7. Click Save Changes.

    Result:

    The Authentication Realm is saved.

Configuring a Signing In Policy

To configure Juniper for PingID multi-factor authentication (MFA), you must configure a sign in policy.

Steps

  1. In the left navigation pane, in the Authentication section, click Signing In.

    A screen capture of the Signing In window, with an arrow highlighting its location in the menu and an arrow pointing to the New URL button.

    Result:

    The Signing In window opens.

  2. In the Signing In window, click New URL…​.

    Result:

    The next section of the Signing In window opens.

    A screen capture of the New URL section of the Signing In window. This screen capture shows an example completed configuration.

  3. In the User Type section, click Users.

  4. In the Sign-in URL field, enter the sign-in URL in the format of <host>/<path>/.

    Example:*/JuniperDemoURL/

  5. In the Authentication Realm section, enter the following information:

    1. Click User Picks from a List of Authentication Realms.

    2. From the Available Realms list, select the realm created in Adding a New Authentication Realm, and then click Add. The realm is added to the Selected Realms list.

      Result:

      The Signing In window is displayed, and the User URL list contains the new URL.

  6. Click Save Changes.

  7. From User URLs list, select the check box next to the URL you just created.

  8. To move the URL to the top of the list, click the Up Arrowicon (zzb1564020885413).

    A screen capture of the Signing In window, demonstrating how to use the up arrow icon to move a URL to the top of the list.

  9. Click Save Changes.

    Result:

    The Juniper VPN is now configured to use the PingFederate RADIUS password credential validator (PCV) server.

Signing on

Sign on to your user URL page.

Steps

  1. In a web browser, enter the user URL you previously created in Configuring a Signing In Policy.

  2. Authenticate with your username and password.

  3. Perform your second-factor authentication using PingID.

Configuring Juniper as first factor authentication

Configure Juniper 8.0 as the first-factor ID provider using LDAP and PingFederate with PingID RADIUS password credential validator (PCV) as the second factor.

Steps

  1. Configure PingFederate with a PingID RADIUS PCV, and leave the Delegate PCV section empty.

    For more information, see Integration for devices using a RADIUS server.

    A screen capture of Create Credential Validator Instance window in the PingFederate administrative console.

  2. In the Juniper admin portal, create and configure the PingID RADIUS configuration.

    For more information, see Configuring Juniper for PingID multi-factor authentication.

  3. Go to Authentication → Authentication Servers. A screen capture of the Authentication Servers window in the Juniper UI.

  4. From the New drop-down list, select LDAP Server, and then click New Server.

  5. In the Settings tab, complete the following fields:

    1. In the Name field, enter a name for the server.

    2. In the LDAP Server field, enter the IP address or hostname of the LDAP server.

    3. In the LDAP Port field, keep the default value of 389, or change it according to the LDAP configuration.

    4. From the LDAP Server Type list, select Active Directory.

    5. From the Connection options, keep the default value of Unencrypted, or change it to match the LDAP configuration.

    6. In the Connection Timeout field, enter 30.

    7. In the Search Timeout field, enter 90.

    8. Leave all other fields empty.

      A screen capture of the New Authentication Server window in the Juniper UI.

  6. To confirm that the connection is valid before continuing, click Test Connection.

  7. In the Authentication Required? section, complete the following fields:

    1. Select the Authentication Required to Search LDAP check box.

    2. In the Admin DN field, enter the admin DN.

      For example, CN=Administrator, CN=Users, DC=Accells, DC=Lab.

    3. In the Password field, enter the admin password.

      A screen capture of the Authentication Required? section in the Juniper UI. The Authentication required to search LDAP check box is selected. The Admin DN field shows the example DN: CN=Administrator, CN=Users, DC=Accells, DC=Lab. The Password field shows an obfuscated password example.

  8. In the Finding User Entries section, complete the following fields:

    1. In the Base DN field, enter the Base DN.

      For example, CN=Users, DC=Accells, DC=Lab.

    2. In the Filter field, enter samaccountname=<USER>.

      A screen capture of the Finding User Entries section in the Juniper UI. The Base DN field shows the example DN: CN=Users, DC=Accells, DC=Lab. The Filter field has an asterisk next to it and shows the value samaccountname=<USER>.

  9. In the Determining Group Membership section, complete the following fields:

    1. In the Base DN field, enter the Base DN.

    For example, CN=Users, DC=Accells, DC=Lab.

    1. In the Filter field, enter CN=<GROUPNAME>

    2. In the Member Attribute field, enter member.

      A screen capture of the Determining Group Membership section in the Juniper UI. The Base DN field shows the example DN: CN=Users, DC=Accells, DC=Lab. The Filter field shows the value CN=<GROUPNAME>. The Member Attribute field shows the value member. After the Member Attribute field is a check box for Reverse group search. This check box is not selected. The Query Attribute field is blank. The Nested Group Level field shows a value of 0. The Nested Group Search shows two radio button options for Nested groups in Server Catalog and Search all nested groups. The Nested groups in Server Catalog button is clicked.

  10. Click Save Changes.

  11. Go to Authentication → Signing In → Sign-in Policies, and ensure that the first entry on the User URLs list is */. A screen capture of the Sign-in Policies tab in the Juniper UI. There are three URL lists: Administrator URLs, User URLs, and Meeting URLs. In the User URLs list, */ is the first entry and has the Authentication Realm for Users.

    This differs from the instructions in the RADIUS PCV documentation.

  12. Go to Users → User Realms → Users and in the Servers section, complete the following fields:

    1. From the Authentication list, choose the LDAP authentication server created earlier.

    For example, local_LDAP.

    1. From the User Directory/Attribute list, select Same as Above.

    2. From the Accounting list, select the Juniper RADIUS authentication server created earlier.

      For example, PingID_Radius.

      A screen capture of the Servers section in the Juniper UI. The Authentication field shows local_LDAP selected. The User Directory/Attribute field shows Same as Above selected. The Accounting field shows PingID_Radius selected. The Device Attributes field shows None selected.

  13. Select the Additional Authentication Server check box, and then complete the following fields:

    1. From the Authentication #2 list, select the Juniper RADIUS authentication server created earlier.

    For example, PingID_RADIUS.

    1. In the Username is: section, click Predefined as and enter <USERNAME>.

    2. In the Password is: section, click Predefined as and enter <PASSWORD>.

    3. Select the End Session if Authentication Against this Server Fails check box.

      A screen capture of the Additional Authentication Server section in the Juniper UI. The Authentication #2 field shows PingID_Radius selected. The Username is section shows two radio button options for specified by user on sign-in page and predefined as. The predefined as button is clicked and the predefined as field shows <USERNAME>. The Pasword is section shows two radio button options for specified by user on sign-in page and predefined as. This section also has a check box for End session if authentication against this server fails. The button for predefined as is clicked and the predefined as field shows <PASSWORD>. The End session if authentication against this server fails check box is selected.

  14. Click Save Changes.

  15. To sign on to Juniper while using the Juniper LDAP configuration as the first-factor for authentication, use the default user URL.

    Example:

    https://<juniper IP>, https://<juniper hostname>, or https://10.8.1.240/