Authentication Service Delivery Made EASY™

Strong Authentication for

Juniper Networks SSL VPN

with

Powerful Authentication Management for Service Providers and Enterprises

Juniper Networks SSL VPN with BlackShield

2

Copyright

Copyright © 2011. CRYPTOCard Inc. All rights reserved. The information contained herein is subject to change without notice. Proprietary Information of CRYPTOCard Inc.

Disclaimer

The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than CRYPTOCard Inc. While every effort is made to ensure the accuracy of content offered on these pages, CRYPTOCard Inc. shall have no liability for errors, omissions or inadequacies in the content contained herein or for interpretations thereof.

Use of this information constitutes acceptance for use in an “AS IS” condition, without warranties of any kind, and any use of this information is at the user’s own risk.

No part of this documentation may be reproduced without the prior written permission of the copyright owner. CRYPTOCard Inc. disclaims all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall CRYPTOCard Inc. be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if CRYPTOCard Inc. has been advised of the possibility of such damages. Some provinces, states or countries do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Links and addresses to Internet resources are inspected thoroughly prior to release, but the ever-changing nature of the Internet prevents CRYPTOCard Inc. from guaranteeing the content or existence of the resource. When possible, the reference contains alternate sites or keywords that could be used to acquire the information by other methods. If you find a broken or inappropriate link, please send an email with the topic name, link, and its behaviour to support@cryptocard.com.

The software described in this document is furnished under a license and may be used or copied only in accordance with the terms of the license.

Trademarks

BlackShield ID, CRYPTOCard and the CRYPTOCard logo are trademarks and/or registered trademarks of CRYPTOCard Corp. in Canada and/or other countries. All other goods and/or services mentioned are trademarks of their respective holders.

Juniper Networks SSL VPN with BlackShield

Overview 3

Contact Information

CRYPTOCard’s technical support specialists can provide assistance when planning and implementing CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment.

CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard channel partner, please contact your partner directly for support needs.

To contact CRYPTOCard directly:

United Kingdom

2430 The Quadrant, Aztec West, Almondsbury, Bristol, BS32 4AQ, U.K.

Phone: +44 870 7077 700

Fax: +44 870 70770711

support@cryptocard.com

North America

600-340 March Road, Kanata, Ontario, Canada K2K 2E4

Phone: +1 613 599 2441

Fax: +1 613 599 2442

support@cryptocard.com

For information about obtaining a support contract, see our Support Web page at http://www.cryptocard.com

Juniper Networks SSL VPN with BlackShield

Overview 4

Overview By default Juniper SSL VPN logons requires that a user provide a correct user name and password to successfully logon. This document describes the steps necessary to augment this logon mechanism with strong authentication by adding a requirement to provide a one-time password generated by a CRYPTOCard token using the implementation instructions below.

Applicability This integration guide is applicable to:

Security Partner Information Security Partner Juniper Networks Product Name and Version SA 700 / 6.2R1 (build 13255) Protection Category SSL Remote Access

Authentication Service Delivery Platform Compatibility

Publication History Date Changes Version January 26, 2009

Document created 1.0

July 9, 2009 Copyright year updated 1.1 Sept 15, 2010 Updated for GrIDsure, MP and different auth methods 1.2

Juniper Networks SSL VPN with BlackShield

Preparation and Prerequisites 5

Preparation and Prerequisites 1. Ensure end users can authenticate through the Juniper SSL VPN with a static password before

configuring RADIUS authentication.

2. For BlackShield Server:

a. BlackShield ID NPS IAS Agent has been installed and configured on the NPS IAS Server to accept Radius authentication from the Juniper SSL VPN.

b. Ensure that Ports 1812 UDP and 1813 UDP are open to the NPS / IAS Server

c. The NPS IAS Agent must be configured to use either port 80 or port 443 to send authentication requests to the BlackShield ID server.

3. For BlackShield Cloud:

a. Add a RADIUS Auth Node configured to accept authentication requests from the Juniper SSL VPN.

4. For BlackShield Server or BlackShield Cloud:

a. Create or define a “Test” account that will be used to verify that the Juniper SSL VPN has been properly configured. Ensure that the user name for this account exists in BlackShield ID by locating it in the Assignment Tab.

b. Verify that the “Test” user account can successfully authenticate with a static password, to the Juniper SSL VPN before attempting to apply changes and test authentication using a token.

c. A “Test” user account has been created and assigned with a CRYPTOCard token.

Juniper Networks SSL VPN with BlackShield

Configuration 6

Configuration

Configuring Juniper SSL VPN for Two Factor Authentication • Log into the Juniper SSL VPN Admin web

portal.

• To add a new Radius Server, click on “Auth Servers”

• From the dropdown box, and select "Radius Server"

• Then click on the "New Server..." button

• Enter in a Name of the “New Radius Server” • Enter in the IP address or DNS name of the

Primary BlackShield ID Radius Server into the “Radius Server” field

• Enter in a Shared Secret into the “Shared Secret” field

• Place a checkmark in the “Users authenticate using tokens and one-time passwords” checkbox.

• Click “Save Changes” when completed. Optional:

• If there is a Secondary BlackShield ID Radius Server, please fill in all fields within the Backup Server section.

NOTE: If the Juniper SSL VPN has other realms created, then please skip the rest of this

section and go to “Advanced Configuration” section.

Juniper Networks SSL VPN with BlackShield

Configuration 7

After the New Radius Server has been created, the Radius Server need to be applied to a User Realm.

• On the left hand side, select User Realms

• Select Users

• Then select General

Under the Servers section, there will three down fields. They are:

• Authentication • Directory/Attribute • Accounting

Change them “Authentication” and “Accounting” to use the new Radius Server was just created. Change Directory/Attribute to use “Same as above” Click “Save Changes” when completed.

Next is to check the Sign-in Policies section to ensure that the default User URL is set to allow all User Realms to authenticate.

Ensure that the Authentication Realm(s) section has say ALL. This means that any User Realms created within the Juniper SSL VPN can authenticate to this User URL.

Juniper Networks SSL VPN with BlackShield

Configuration 8

Testing CRYPTOCard Authentication Next step is to test authentication against BlackShield ID via RADIUS with the newly configured Juniper SSL VPN web login portal.

Open up a web browser and go to: http://JuniperSSLVPN.DNS.Name/ Enter in a username and the One Time Password from a CRYPTOCard Token. Click “Sign In”.

If the authentication is successful, the user will see the following screen.

Juniper Networks SSL VPN with BlackShield

Advanced Configuration 9

Advanced Configuration After configuring the Juniper SSL VPN for Radius authentication, the Juniper device may have issues applying the proper User Realm to the user that is authenticating. This is due to the RADIUS Server returns an access-accept, but the Juniper SSL VPN does not know which role to map to that user. To resolve this issue, a RADIUS Return Attribute of Filter-Id is added to the role mapping.

Adding Filter-Id to a User Realm in Juniper SSL VPN Log into the Juniper SSL VPN Administrative web portal

• Go down to the “Users” section

• Highlight “User Realms”

• Then highlight the User Realm where the Filter-Id attribute will be added

Finally click on “Role Mapping”.

Juniper Networks SSL VPN with BlackShield

Advanced Configuration 10

Under the Role Mapping tab, click on the “New Rule…” button. In the new Role Mapping Rule webpage please perform the following:

• Under the “rule based on:”, click the dropdown menu and select “User attribute”

• Then click the Update button • Under the “Attribute:” section, click

the dropdown menu and select Filter-Id (11)

• In the textbox below, type in a name

for the Filter-Id (eg. Information Technology)

• Under the “…then assign these roles”,

select the Role (s) that will be assigned users after a successful authentication and the correct Filter-Id has been returned to the Juniper SSL VPN device.

Click “Save Changes” when finished.

Next, check the “Sign-in Policies” section to ensure that the default User URL is set to use the User Realm that has the Filter-Id added as a Role Mapping.

Ensure that the Authentication Realm(s) section has only the correct User Realm displayed. This means that that User Realms created within the Juniper SSL VPN can authenticate to this User URL.

Juniper Networks SSL VPN with BlackShield

Advanced Configuration 11

Adding Filter-Id attribute to Remote Access Policy (Windows 2003) This is section is specifically for adding a Filter-Id attribute to a Remote Access Policy within Windows 2003 Internet Authentication Service (IAS). To add a new Network Policy with a Filter-Id in Microsoft Network Policy Server, on Windows 2008, refer to Creating new Network Policy with Filter-Id attribute (Windows 2008) on page 13.

Open up Microsoft Internet Authentication Service (2003)

• Select “Remote Access Policies”

• Right click “Authenticate to BlackShield”, and select “Properties”

Perform the following “Authenticate to BlackShield Properties” popup:

• NAS-Port-Type matches “Ethernet”

• Click the “Remove” button, then click the “Add” button

• Select “Day-And-Time-Restrictions”, and click

“Add”

• Select the “Permitted” radio button

• Click “OK”, and then “Apply”

Juniper Networks SSL VPN with BlackShield

Advanced Configuration 12

• In the Authenticate to BlackShield Properties” popup, click “Edit Profile…”

• In the “Edit Dial-in Profile” popup, click the

“Advanced” tab.

• Click the “Add” button

• Select the “Filter-Id”, and then click “Add”

• In the new pop up, click the “Add” button

• Another pop up appears. Enter in the Filter-Id value that was entered in section 2.1.1.

• Click “OK” when finished, “OK” again, then

click “Close”

The “Advanced” tab will now display the new Filter-Id that has been added to this Remote Access Policy.

• Click “OK”, and then “OK” again when finished.

Juniper Networks SSL VPN with BlackShield

Advanced Configuration 13

• Expand “Connection Request Processing” in

IAS

• Select “Connection Request Policies”

• Right click on the Policy that was created for BlackShield, and select “Properties”

• In the Authentication tab, select the “Authenticate requests on this server” radio button

• Click “OK” when finished.

• After all changes have been made, open up

Windows Services, and restart “Internet Authentication Service”.

Creating new Network Policy with Filter-Id attribute (Windows 2008) This is section is specifically for adding a new Network Policy along with a Filter-Id attribute to Network Policy within Windows 2008 Network Policy Server (NPS). To add a Filter-Id attribute to a Remote Access Policy in Microsoft Internet Authentication Service on Windows 2003, refer to Adding Filter-Id attribute to Remote Access Policy (Windows 2003) on page 11.

• Open up Microsoft Network Policy Server (2008)

• Expand “Policies”

• Select “Network Policies”

• Right click “Network Policies” and

select “New”

Juniper Networks SSL VPN with BlackShield

Advanced Configuration 14

• Enter in a name for the new Network Policy under the “Policy name” field

• Ensure “Type of network access server”

is set to “Unspecified”

• Click “Next” to continue

• Click the “Add” button to add a new condition

• Scroll down and select “Day and Time

Restrictions”, and Click “Add”

• Select the “Permitted” radio button, and then Click “OK”

• Click “Next” to continue

• Select the “Access granted” radio

button

• Click the “Next” button three times

• Click the “Add” button to add a new attribute

• Select “Filter-Id”, and click “Add”

• Click the “Add” button, then enter in

the Filter-Id value that was entered in section 2.1.1

• Click “OK”, then OK again

• Click the “Close” button

• Click “Next”

Juniper Networks SSL VPN with BlackShield

15

• Then click “Finish” to create the New Network Policy

• Select “Connection Request Policies” in NPS

• Right click on the Policy that was

created for BlackShield, and select “Properties”

• Select the “Settings” tab

• Then select “Authentication” on the left hand side

• On the right hand side, select the

“Authenticate requests on this server” radio button

• Click “OK” when finished

• After all changes have been made,

open up Windows Services, and restart “Network Policy Server”

Juniper Networks SSL VPN with BlackShield

Juniper SSL VPN and GrIDsure support 16

Juniper SSL VPN and GrIDsure support The Juniper SSL VPN login page can be configured to authenticate hardware and GrIDsure token users.

1. The user enters the Juniper SSL VPN URL into their web browser.

2. The Juniper SSL VPN login page displays a Username and OTP field as well as a Login and Get GrID button.

3. The user enters their username into the Username field then selects Get Grid. The request

is submitted from the user’s web browser to the BlackShield Self Service site.

4. The BlackShield Self Service site displays the user’s GrIDsure Grid within the Juniper SSL VPN login page.

5. The user enters their GrIDsure password into the OTP field then submits the request.

6. The Juniper SSL VPN device performs a RADIUS authentication request against the

BlackShield server. If the CRYPTOCard credentials entered are valid, the user is presented with their Juniper SSL VPN portal otherwise, the attempt is rejected.

Prerequisites

1. The Juniper SSL VPN device must support uploading custom login pages (Juniper SSL VPN model SA 2500 or higher).

2. The BlackShield Self Service Site must be publicly accessible to SSL VPN clients. 3. The Juniper device must already be configured to perform RADIUS authentication against

the BlackShield server.

Adding the BlackShield Self Service URL to the gridsure.js file

1. Open gridsure.js with a text editor. 2. Change the value of gridMakerURL to reflect the location of your BlackShield Self Service

website then save the file.

Example: • var gridMakerURL =

"https://www.mycompany.com/blackshieldss/index.aspx?getChallengeImage=true&userName=";

Adding the CRYPTOCard GrIDsure enabled Sign-in page.

1. Login as an administrator to the Juniper device. 2. Select Authentication, Signing In, Sign-In Pages. 3. Select the "Upload Custom Pages" button. 4. In the "Sample Templates Files" section select "Sample". Download sample.zip to a

Juniper Networks SSL VPN with BlackShield

Juniper SSL VPN and GrIDsure support 17

temporary folder. 5. Rename the sample.zip file to cryptocard.zip. 6. Add the gridsure.js and LoginPage.thtml file to cryptocard.zip (if prompted, overwrite the

existing LoginPage.thtml file). 7. In "Upload Custom Sign-In Pages", enter "CRYPTOCard GrID Enabled" into the Name field

and in "Page Type" select "Access". In "Templates File" browse to the cryptocard.zip file then select the "Upload Custom Pages" button.

Assigning the CRYPTOCard GrIDsure enabled Sign-in page to a Sign-in Policy.

1. Login as an administrator to the Juniper device. 2. Select Authentication, Signing In, Sign-In Policies. 3. Select the CRYPTOCard authentication enabled "User URL". 4. In the Sign-in page section, select "CRYPTOCard GrID Enabled" then save the settings.

Login as a CRYPTOCard GrIDsure enabled user.

1. Open a web browser and browse to the CRYPTOCard enabled Juniper SSL VPN sign-in page. 2. Enter the username then select the "Get Grid" button, a grid will appear in the screen. 3. Enter the PIP into the password field then select Sign-in.

Optional - Enabled Challenge-response requests

1. Login as an administrator to the Juniper device. 2. Select Authentication, Auth. Servers. 3. Select the CRYPTOCard RADIUS enabled authentication server. 4. In "Custom Radius Rules" select "New Radius Rule...". 5. In "Display Name" enter "Display challenges", set "Response Packet Type" to "Access

Challenge". In "Attribute criteria" set "Radius Attribute" to "Reply-Message(18) with a "Value" of "*". In "Then take action..." select "show Generic Login page".

6. Save the changes.

Further Information For further information, please visit http://www.cryptocard.com