Juniper SA 7.x Integration
From Swivel Knowledgebase Wiki
Overview
PINsafe can be integrated with the SA series of SSL VPN products, with the SA 2000 and higher products also allowing additional login page functionality. Creating additional login pages allow different authentication methods and test pages to be created with different functionality.
The SA 700 can be configured in a similar manner using RADIUS authentication except for the TURing image and other login page modifications.
For 6.x integration guide see Juniper SA 6.x Integration
It is also possible to configure Two Stage authentication whereby the user enters a username and AD Password and if correct the user can be sent a security string or OTC for Authentication. This can be combined with the Juniper Two Stage authentication to allow the AD Single Sign On (SSO) features. See Juniper Two Stage Challenge and Response How To.
Prerequisites
Juniper 7.x
PINsafe 3.x
Modified login pages can be downloaded from here: PINsafe modified pages also requires sample pages from Juniper appliance.
It is possible to access Juniper SSL VPN from mobile devices such as iPhone, Blackberry, Windows Mobile and Andriod devices.
To support this, additional pages needs to be modified to support PINsafe.
Mobile login pages can be downloaded from here: PINsafe Mobile login pages, and should be included if the Single channel images are required on mobile devices.
Where the Virtual DNS is to be used, a DNS entry that uses the same IP address of the external VPN is required. For example turing.swivelsecure.com would need to point to the same IP address as vpn.swivelsecure.com. A valid certificate is required on the PINsafe server.
Baseline
Juniper 7.2
PINsafe 3.7
Architecture
A user receives their security string by their transport and enters the authentication information into the login page. The Juniper makes a RADIUS request against the PINsafe server to verify the OTC. Usually the Juniper page also verifies the AD password is correct by verifying it against the AD server, in addition to the OTC.
Installation
Configure The PINsafe Server
Configure a RADIUS NAS entry
1. Ensure the RADIUS server is running on PINsafe
2. On the PINsafe Management Console select RADIUS NAS
3. Enter a name for the NAS
4. Enter the Juniper internal IP address
5. Enter the shared secret
6. Click on Apply to save changes
Configure Single Channel Access
1. On the PINsafe Management Console select Server/Single Channel
2. Ensure ‘Allow session request by username’ is set to YES
Juniper Integration
RADIUS Authentication Server Configuration
On the Juniper Server select Authentication Servers then select RADIUS Server from the drop down menu, and click on New Server.
The following information is required:
Name: A descriptive name for the RADIUS server
RADIUS Server: The PINsafe server IP/Hostname
Authentication Port: the port used to carry authentication information, by default 1812
Shared Secret: The shared secret that has been entered on the PINsafe server
Accounting Port: the port used to carry accounting information, by default 1813
NAS-IP Address: the Juniper interface used for communication, usually left empty
Users authenticate using tokens or one-time passwords Ensure this box is ticked
Backup server, Enter the details of any additional PINsafe servers which can be used for authentication.
Authentication Realm Configuration
Authentication realms determine which method of authentication will be used. On the Juniper select User Realms, and either create a new Realm with the New button or or modify an existing realm by clicking on it.
PINsafe as the Primary Authentication Server
PINsafe can be configured as the only authentication method, the first or more usually configured as the secondary authentication server. By changing the Authentication device order on the Juniper, PINsafe can be configured as the first authentication server, but you may lose some functionality of SSO to sign you into AD applications and services. The login page would also need to be modified to display the correct text.
To configure PINsafe as the server select the PINsafe server as the first listed Authentication Server.
PINsafe as the Secondary Authentication Server
PINsafe can be configured as the only authentication method, or more usually configured as the secondary authentication server.
To configure PINsafe as the server as a secondary authentication server cluck on the box Additional authentication server
Juniper Sign-In Policy
The Policy associates a login URL to a login page and an authentication realm which will verify a users credentials. PINsafe authentication can be applied to an existing authentication page or to a new possibly customised login page (see login page customisation).
To associate PINsafe authentication to a signing in page, associate the realm with the required login page. On the Juniper select Signing-In/Sign-in Policies, then New URL.
Enter a name for the URL, and select a signing-in page (see details below for custom pages). Ensure PINsafe is selected as an authentication realm.
When complete the new PINsafe policy should be listed.
Additional Installation Options
PINsafe can provide additional authentication options including:
Single Channel Authentication Images
Dual Channel Image for Confirmed Messages
Security String Index Image for Multiple security strings
Where an image is used it is requested by the client from the PINsafe server, this can be done in a number of ways:
- PINsafe on a public IP address
- PINsafe behind a Network Address Translation/Port Address Translation
- PINsafe behind a Proxy server
- PINsafe behind a Juniper Virtual DNS Proxy
Creating a Virtual DNS Entry
If using the single channel authentication such as TURing, or SMS confirmed Images, or SMS on demand buttons, an external DNS entry is required that points to the same IP address as the Juniper SSL VPN.
Example:
Juniper SSL VPN vpn.mycompany.com IP 1.1.1.1 Turing Image turing.mycompany.com IP 1.1.1.1
Swivel Example:
Juniper SSL VPN vpn1.swivelsecure.com IP 1.1.1.1 Turing Image turing.swivelsecure.com IP 1.1.1.1
Creating a role for Virtual hostname
Create a role for the Virtual hostname. Then under User Roles/<role name>/Web/Bookmarks, the role does not need any web bookmarks, but under the Options, advanced settings set Allow browsing untrusted SSL sites, and remove the option to Warn users about the certificate problems.
Creating an ACL for the Virtual hostname role
An ACL must be created on the Juniper SA to allow access to the PINsafe server. For further information see [1]
A new policy and role may be required for this. Select Resource Policies/Web Access Policies/<Policy Name>/General, under Resources enter the PINsafe internal address:
Example https://pinsafe.swivel.local:8443/proxy/*
For Roles select Policy Applies to selected roles, add the required role to the selected roles.
For Actions select Allow Access.
Creating the Virtual Hostname
To create a Virtual DNS entry, on the Juniper SA select the Authentication/Signing In/Sign-In Policies and then select New Page. Select the Authorization Only Access radio button for User type. Complete the following information:
Virtual Hostname: enter the DNS name that will point to the PINsafe appliance for the TURing image.
Example: turing.swivelsecure.com/
Backend URL: enter the protocol, IP address and port of the PINsafe appliance
Example for an appliance: http://192.168.0.35:8443/*
Example for a software only install http://192.168.35:8080/*
Authorization Server: select No Authorization
Role Option: Select a Role
Save the Changes
Verifying the Virtual DNS Entry
PINsafe Appliance
From within the network verify the PINsafe server is working using the below to generate a TURing image
http://<PINsafe appliance URL>:8443/proxy/SCImage?username=test
Then verify the external access using
https://<turing.mycompany.com>/proxy/SCImage?username=test
Software Install
From within the network verify the PINsafe server is working using the below to generate a TURing image
http://<PINsafe appliance URL>:8080/pinsafe/SCImage?username=test
Then verify the external access using
https://<turing.mycompany.com>/pinsafe/SCImage?username=test
Login Page Modifications for Single Channel Authentication and SMS On Demand
The sample pages provided by Juniper on the current version to be integrated, should always be used, as these are the supplied compatible pages and contain the latest updates and security features. To obtain these, login to the Juniper and select Signing-In, Sign-in pages, then click on Upload Custom Pages.
Click on the Sample and download the latest sample pages. This is a zip file, and any additional files or changes will need to be added back to the zip file with the original contents, to be uploaded again.
Modifying the Login Page
Using the sample login pages we can add the PINsafe modified pages (see prerequisites), and change them to suit the integration requirements.
The configuration section within LoginPage.thtml should be edited to suit your environment:
| Option | Description | Single channel Option | Dual Channel Option |
| image | When the user tabs down from the username field, the TURing will automatically show | Y | N |
| button | The login page will present a TURing button. Click the button to display the TURing | Y | Y |
| disable | No TURing image | Y | Y |
| Option | Description | Single channel Option | Dual Channel Option |
| true | Button will be displayed | Y | Y |
| false | No button | Y | Y |
| Option | Description | Single channel Option | Dual Channel Option |
| URL (see below) | Change the TURingImage value to reflect the IP address of the PINsafe appliance | Y | Y |
The URL may be one of the following:
- Using Virtual DNS
PINsafe appliance
https://virtual_hostname/proxy/SCImage?username=";
Software install
http://virtual_hostname/pinsafe/SCImage?username=";
- For a NAT or Public IP address
PINsafe appliance
https://hostname:8443/proxy/SCImage?username=";
Software install
http://hostname:8080/pinsafe/SCImage?username=";
Modifying the Login pages for Mobile Devices
Modify the file PageHeader-mobile-webkit.thtml, find the below line and change the link for the PINsafe appliance as the standard login page above.
var TURingImage = "https://pinsafe.company.com/proxy/SCImage?username=";
Uploading the Modified Page
Ensure all the modified files are included with the zip file to upload to the PINsafe server. On the Juniper select Signing In/Sign-in Pages then click on Upload Custom Pages.
Enter a Name for the Custom page, then use Browse to find the location of the Templates file. Then click on the Upload Custom Pages, observe any errors that may occur.
The new signing in page should be listed.
Juniper Network Connect
User who wish to login by starting the Net Connect Client will be prompted for authentication allowing the authentication methods defined above to be used.
Juniper Network Connect with TURing
Verifying the Installation
Navigate to the login page and verify that the page is as expected. Test a login using an OTC and verify the user can login with a correct OTC an fails with an incorrect OTC.
Dual Channel Authentication
Single Channel Authentication
Uninstalling the PINsafe Integration
To remove PINsafe remove the customised page, PINsafe realm, and PINsafe Policy.
Troubleshooting
Check the PINsafe logs. If the Single Channel image is used then a 'session start' should be see for the username. RADIUS authentication requests should be seen for successful or failed login attempts.
Check the Juniper logs, look for user authentication requests.
If the TURing image is not visible, right click on the red cross and view the details of the image URL.
Copy and paste this URL into a separate web browser, observe any certificate errors.
