Strong authentication for Juniper Networks
Secure Access (SSL – VPN) Solutions with
One Time Password Server
The complete installation guide for securing the authentication to your Juniper SSL VPN solution with
Nordic Edge One Time Password Server, delivering two-factor authentication via SMS to your mobile
phone.
Content
1Summary. 4
2Prerequisites. 4
3Important information regarding communication. 4
4Getting started. 5
4.11.1 Download the software. 5
4.2Register and download the software. 6
5Installation. 8
5.1Start the installation. 8
5.2Installing license. 10
6Configuring the One Time Password Server. 14
6.1Start the OTP Configurator14
6.2Server page. 15
6.3Plugin manager page. 16
6.3.1Nordic Edge SMS Plugin. 17
6.4Nordic Edge SMS Page. 18
6.5Radius & Client page. 19
6.5.1Enable Radius. 20
6.6Add client21
6.7Configure LDAP. 22
6.7.1Test LDAP Connection. 22
6.7.2Selecting Search Base DN. 23
6.7.3Select Search filter25
6.7.4Test LDAP Authentication. 27
7Start the One Time Password Server. 29
8Add mobile phone number with Microsoft Management Console. 30
9Configure Juniper Networks Secure Access SSL-VPN. 30
9.1Custom Radius Authentication Rules. 32
9.2Sign in page. 33
9.3User Realm.. 33
9.4Sign In Policy. 34
10Start testing.. 34
11Purchase. 36
12Technical questions. 36
This is the complete installation guide for securing the authentication to your Juniper SSL VPN box with Nordic Edge
One Time Password Server, delivering two-factor authentication via SMS to your mobile phone. You will be able to
test the product with your existing Juniper SSL VPN box and LDAP user database, without making any changes that
affect existing users. The guide will also allow you to make the complete installation effeciently, using a maximum of 1 hour.
Nordic Edge provides several methods for delivering one time passwords, like e-mail, tokens, mobile clients, prefetch etc.
- however in this test we are only going to use SMS.
This is a step-by-step guide that covers the entire installation from A to Z. It is based on the scenario that you are running
your Juniper box against Active Directory, and that you install the One Time Password Server on a Windows Server.
The One Time Password Server is platform independent and works with all other LDAP user databases, like eDirectory,
Sun One, Open LDAP etc. If you are not running Active Directory or Windows and if you have any questions regarding
the slight differences in the installation process, you are most welcome to contact us at support@nordicedge.se and we
will take you through the entire process.
You will need to have a server available, for example a VMware virtual machine with Windows Server 2003 installed
with Ethernet in bridge mode. The server needs to have an ip-address configured and must also be able to reach your
DNS-servers, your Juniper box and the Active Directory. Since the software is quite small and easy to remove, you
can also use any existing server in your network.
The One Time Password Server is a software that you can place on any server in your internal network or DMZ.
- The One Time Password Server needs to be able to communicate (Outbound traffic) with your LDAP or JDBC
User Database. Default port for LDAP and Secure LDAP is TCP port 389 / 636.
- The Integration Module needs to be able to communicate (Outbound traffic) with the One Time Password Server on
TCP port 3100. Or Radius with UDP port 1812 or 1645 (Outbound traffic)
- If you want to use the Nordic Edge SMS Gateway, the One Time Password Server needs to be able to communicate
(Outbound traffic) with otp.nordicedge.net and otp.nordicedge.se with HTTPS on TCP port 443.
In this test-scenario you will want to communicate with RADIUS port 1812 or 1645 and use our Nordic Edge SMS Gateway.
Go to www.nordicedge.se and click on Download
You will receive a link for downloading the software. A 30 days evaluation license will be sent via e-mail when you download
the software.
Download the version with JAVA included.
Start the installation on the server where you want to install the One Time Password Server
Choose the license.dat that you have received via e-mail. This is important, since if you want to request a demo SMS
account at Nordic Edge later in the installation, you need to install the license at this moment.
Note, if you are in a test-phase, we recommend that you do not install the OTP-Server as a Windows Service.
.
Start the OTP Configurator by clicking on Programs / NordicEdge / OTP Configurator
On the Server page you can set the length of the one-time password and for how long it should be valid. Default is 5
minutes.
You can also set a default country prefix, which means that you will not need to state it in the mobile attribute.
The One Time Password communicates with TCP protocol portnr 3100.
On the Plugin manager page you can configure all methods and in which order you want to use them. In this case we will
be using Nordic Edge SMS gateway to deliver the one-time password via SMS to your mobile phone.
Move the Plugin Nordic Edge SMS to the top of the plugins.
Look at the Nordic Edge SMS Page. If you installed the license.dat during the installation and checked the box "Request
a demo SMS account at Nordic Edge", an account should now be preconfigured for you.
For configuring One Time Passwords Server to act as radius server go to the Radius & Client page.
Enable Radius and choose one of the radius ports 1645 or 1812 that you want to use. Make sure that the client
(Juniper SSL / VPN) is using the same radius port.
Click on Add Client and enter Client Display name and the ip-address for the Juniper SSL / VPN. Please note that you
should not use the hostname here.
Make sure that "Is RADIUS" is checked and enter the correct Shared Secret.
In the category User Database (s) click New.
Enter a Database Display Name and the host address for your LDAP user database. In this case we are using
Microsoft Active Directory with SSL and the users' mobile attribute for sending one time passwords.
Click on Test LDAP Connection and make sure that you get an LDAP Connection Success.
Click on the box for selecting Search Base DN:
Select a Base Dn where your users are.
Click on samples and select the right filter for your LDAP User database, in this case Active Directory.
Click on Test LDAP Authentication and make sure you can authenticate.
Exit the configurator by clicking OK twice and make sure to click on the Save button
End of Step "Configuring the One Time Password Server"
Start the One Time Password by going to Program folder, NordicEdge,OTPServer and klick on OTP Server
Add mobile phone number to your test users mobile phone attribute
Start MMC and select the user that you want to use for testing and enter the mobile phone number in the Mobile attribute.
Start the Juniper Secure Networks Secure Access SSL-VPN Central Manager.
Go to Authentication - Auth. Servers
--> New RADIUS Auth Server
Configure as below
Note that "Access Challenge" has to be added where the "Reply-Message" "matches the
expression" "(.*)" and in that case shows" show GENERIC LOGIN page". This will
present the OTP field for the user.
Create a Sign-in page
Create a User Realm that uses the Authentication Server created in step 1 for authentication.
Create a Sign-in Policy that uses the Sign-in Page from step 2 and the User Realm
from step 3.
Note that from the users' perspective you can always configure the login-pages for both
graphics and text to suit your company.
Go to your Juniper url and add that realm you have created. In this examplejuniper.nordicedge.se/test
Enter the user-id and password for the user that you have added your mobile number to.
You will receive a one-time password to your mobile phone within a couple of seconds.
Enter your one time password and click on "Sign In".
If you want to purchase the product, you are more than welcome to contact us at sales@nordicedge.se
and we will send you an offer. Please note that the price will depend on number of users.
If you have any technical questions, please contact us at support@nordicedge.se ---
Thank you for showing interest in our product
The Nordic Edge One Time Password Server Team
Search the Knowledgebase
Browse by Category
Print this page
Email this page
Post a comment
Subscribe me
Add to favorites
Remove Highlighting
Edit this Article
