Duo integrates with your Juniper Networks Secure Access or Pulse Secure Connect Secure SSL VPN to add two-factor authentication to any VPN login, complete with inline self-service enrollment and Duo Prompt.
Yes, please see our Duo Single Sign-On for Ivanti Connect Secure for a SAML solution or Duo Two-Factor Authentication with RADIUS for Ivanti Secure Access SSL VPN for a RADIUS solution.
The Junos Pulse technologies transitioned from Juniper Networks to a new, independent business: Pulse Connect. As of October 2014 there are no fundamental changes to the Pulse software or SSL VPN gateways. The Pulse Connect SSL VPN from Pulse Secure continues to work with Duo, and the configuration process remains essentially the same.
Yes, our Secure Access SSL VPN configuration works with the Pulse client. Users type in the name of a Duo factor or a passcode when prompted by the client application.
The end user experience is documented in our Pulse End User Guide.
Yes, our Secure Access SSL VPN configuration works with Juniper Network Connect.
Yes, our Secure Access SSL VPN configuration can also be used to protect the Juniper MAG series.
The standard SA/IVE configuration is the recommended integration method for Juniper SA/IVE VPNs. However, the alternate configuration method provides "failmode" control (what to do if network connectivity with Duo is lost) and the ability to integrate Duo into a single Juniper sign-in url with multiple authentication realms.
Try the alternate configuration, which doesn't require uploading custom login pages.
You may receive the messages "WARNING: Page Logout is out of date. It is recommended you re-customize this page from the latest sample zip file" and "WARNING: Page PleaseWait is out of date. It is recommended you re-customize this page from the latest sample zip file" when you upload the Duo custom sign-in pages template zip file to your Juniper/Pulse SSL VPN device running release 8.2 or later.
These warnings may be ignored and do not affect Duo authentication.
If you created a new Authentication Realm within your Juniper instead of using the default, make sure that you have assigned an appropriate "Role" to the new Realm for any users who will be using this Realm.
This message can be ignored. You can safely click the Save anyway button and proceed with the application install instructions.
Ensure that you did not check the "Use Custom Page for Pulse Desktop Client Logon" when uploading the Duo custom sign-in page. Navigate to Authentication → Signing In → Sign-In Page and click the Duo sign-in page you uploaded earlier. If that option is selected, deselect it and save.
You may need to adjust the SSO Resource Policy credentials settings. Log in to the Secure Access administration page, and navigate to Resource Policies > Files > Windows SSO.
Edit your existing Windows Credentials Policy (or create a new one). Modify the SSO Windows Credentials Policies Action settings as follows:
Save your changes to the policy.
You may customize the page title and portal name text on the sign-in page created when you upload the Duo package to your SSL VPN device.
After downloading the Duo Juniper package from the Admin Portal, unzip the file and locate the LoginPage.thtml file.
Open LoginPage.thtml in a text editor and make your desired customizations:
To change the page title from the default value "Secure Access SSL VPN ", locate the string
<title><% title FILTER verbatim %></title> and replace
<% title FILTER verbatim %> with your new title.
<title>Acme SSL VPN</title>
To change the portal name from the default value "Secure Access SSL VPN ", locate the string
<td nowrap colspan="3"><span class="cssLarge"><b><% portal FILTER verbatim %></b></span></td></tr> and replace
<% portal FILTER verbatim %> with your new title.
<td nowrap colspan="3"><span class="cssLarge"><b>Acme SSL VPN</b></span></td></tr>
Compress the entire extracted Duo package contents (including your modified LoginPage.thtml file) into a new zip file. Be sure that when you create the new zip file you only include the previously extracted files and directories, and not the top-level directory that your extraction tool may have created; for example, if Windows extracted the contents to a new folder
%TEMP%\Duo-Juniper-8.x-v5-1234-5678-90, do not include the
Duo-Juniper-8.x-v5-1234-5678-90 folder itself in the zip file.
Upload the new sign-in page zip file to your SSL VPN device as shown in Duo's Juniper or Pulse Secure instructions.
SSL VPN sign-on page with default text:
SSL VPN sign-on page with custom text:
You may also edit the other text on the page. Please see the Juniper KB article [SSL VPN] How to customize text on sign-in page for more information.
Feel free to customize the other areas of the sign-in page template as long as you avoid editing code between the
START DUO SNIPPET and
END DUO SNIPPET tags.
For more information about editing page templates, see the Custom Page Modification Guide (PDF).
Need more help? Try searching our Juniper Knowledge Base articles or Community discussions. For further assistance, contact Support.