Juniper Two Stage Challenge and Response

From Swivel Knowledgebase
Jump to: navigation, search

Juniper Two Stage and Challenge and Response Authentication


Juniper supports the use of a challenge and response whereby a password is used prior to entering a One Time Code. In addition the Challenge and Response mechanism allows an SMS to be sent upon successful entry of a password.


PINsafe 3.7

Juniper 6.x

Dual Channel authentication

Two stage authentication requires the use of either a PINsafe password, or that Check password with repository is enabled.


PINsafe 3.7

Juniper 6.4


Juniper using RADIUS authentication to the PINsafe server, with security strings sent to the user using an SMS gateway.


Configure the PINsafe server and Juniper appliance for Dual Channel Authentication. Ensure either the user has a PINsafe password, or that Check password with repository is enabled.

Adding Two Stage Authentication

See also: Two Stage Authentication How to Guide

On the PINsafe Administration Console server select RADIUS/NAS and the Access device which two stage authentication is required. Set the Two stage Auth to Yes and Apply.


On the Juniper Administration Console, browse to the Authentication/Auth Servers menu, and select the PINsafe RADIUS authentication server. Under Custom RADIUS Rules click on the New RADIUS Rule button.

Juniper New RADIUS rule.JPG

Enter a name for the Rule and ensure Response Packet Type is set to Access Challenge.

Under Attribute Criteria ensure RADIUS Attribute is set to Reply Message (18), with the Operand matches the expression, leave the value setting blank.

Ensure that the radio button for ‘Show Generic Login Page’ is selected.

Click on Save Changes.

Juniper Edt Custom RADIUS rule.JPG

Adding Challenge and response Authentication

See also: Challenge and Response How to Guide

For PINsafe 3.7 and later, on the PINsafe Administration Console server select RADIUS/NAS and ensure the Two Stage Auth is set to Yes, then click on Apply.


For PINsafe 3.6 and earlier, on the PINsafe Administration Console server select RADIUS/Server and ensure the Use Challenge/Response is set to Yes, then click on Apply.

RADIUS Server Challenge Response.JPG

On the PINsafe Administration Console server select Server/Dual Channel. For delivery of a new security string upon entering a correct password, ensure On-Demand Authentication is set to Yes, then click on Apply.

PINsafe dual channel multiple authentication strings.JPG

Combining Juniper and PINsafe Two Stage Authentication

Using the Juniper AD authentication is useful for single Sign On (SSO) features, so it may be of use to combine the Juniper Two Stage login with that of the PINsafe Two Stage authentication in order to send the user a security string or OTC when the AD password is entered. To configure this:

Enable Two Stage Authentication on the Juniper

Enable two Stage Authentication on the PINsafe Administration Console

Enable Check Password with Repository on the PINsafe Administration Console, See Check Password With Repository

On the Juniper select the User Realm relating to the required Authentication Realm and change the set Password is: to the value Predefined as <PASSWORD>

When an authentication is made, the AD password is used for the Juniper and the PINsafe Two Stage Authentication so it does not need to be entered twice.

Verifying the Installation

Check the PINsafe logs

Check the Juniper logs


View the users security string to ensure the correct security string is being used.

Ensure authentication is working with standard authentication.

Known Issues and Limitations

PINsafe 3.7 Beta required the use of Multiple Authentications per string to be enabled for dual/single channel located on the PINsafe Administration console under Server/Single Channel or Server/Dual Channel.

Additional Information

Juniper can also be configured for Constrained Delegation where a PINsafe One Time Code is entered and this signs the user into their AD applications without the use of an AD password in the login process. See the following documentation:

For assistance in the PINsafe installation and configuration please firstly contact your reseller and then email Swivel Secure support at