New Video Demonstrates How You Can Add The World’s Strongest Two-Factor Authentication to Your Juniper VPN in Just 5 Minutes.
How easy is it to add the world’s strongest two-factor authentication service to a Juniper SSL VPN? Our latest demo video walks you through it in real time...in just five minutes. The video demonstrates how to use Duo’s drop-in integration package with a Juniper SA Virtual Appliance. Click Here to Read More
Here's a Minute by Minute Rundown of How It Works:
Minute OneThe first step is to log into your web-based Duo Admin Interface.
Once you’re there, click on the “Integrations” tab in the left column. Click on the “New Integration” button and set the “Integration Type” to “Juniper SSL VPN”. Name the new integration (we named ours “Duo Demo” for the video tutorial). Then click the “Add Integration” button to save it.
You’ve already created the VPN integration in Duo. Now you need to configure it. You will be directed to a page where you can “download the appropriate Duo Juniper package”, by clicking the link at the top of the page. For this demo our Juniper SSL VPN is running on 7.4 so we will download the “Duo Juniper for 7.x firmware”. Click on the “Juniper Integration Instructions”, which gives great step-by-step directions on how to set up Duo on your Juniper VPN.
When you view the documentation you downloaded, you will see that Duo conveniently provides the “LDAP Server Name”, “Admin DN” and “Base DN” that will be used for the integration.
Now it’s time to log into your VPN and configure the connection you want to protect with Duo Security. Highlight the “Signing In” tab, then click Sign-In Pages. Select “Upload Custom Pages”. Name your custom page. Select “Choose File” and pick the custom package downloaded from the Duo Security integration. Check the box that says “Skip Validation Checks During Upload”, then click “Upload Custom Package”.
After uploading the Custom Sign-In Pages you need to create a new “authentication server”. Click on the Auth. Servers tab in Juniper and select “LDAP Server” from the drop-down list, then click “New Server”. Name the new LDAP Server.
Go open the documentation accessed from the Duo Admin Interface earlier and copy the LDAP Server name and paste into the Juniper “LDAP Server” field. For connection type, select “Start TLS”. Scroll down to “Authentication required?” and check the box for “Authentication required to search LDAP”. Go back to the documentation and copy the “Admin DN” and “Base DN” values into their respective fields. Return to the Duo Security integration page and copy the secret key into the “password” field under “Admin DN”. For the Filter enter “CN=
Now that you’ve created the new “Authentication Server”, click on the “User Realms tab” and select the desired authentication realm you’re protecting with Duo Security. Check the box “Additional authentication server”, and from the Authentication #2 drop-down box select the Authentication Server that you created. I’ll select the authentication server we created, “Duo Demo”. Now select “predefined as:
Finally, you need to configure your Sign-In Policy to complete your integration. Highlight the “Signing In” tab and select “Sign-In Policies” Click on your SSL VPN URL. From the “Sign-In page:” drop-down menu select the Duo Security page we uploaded previously. Now scroll to the bottom of the page and click “Save Changes”.
Now you can test the login experience for your Juniper SSL VPN with Duo Security Two Factor Authentication. Start by going to the URL for the realm protected by Duo Security and enter the Username and Password. Once confirmed, Duo will prompt the user to choose their second factor. A user simply chooses either Duo Push, Phone Call or enter a Passcode in the passcode field. When you select Duo Push, you’ll be selecting the most secure authentication method available today.
The user will receive a prompt on their phone to authenticate, with contextual information for the request. This will include the username, system being accessed, IP address with rough geolocation, and the time of the request. Click the green button for accept, and you’re logged in!