Duo Two-Factor Authentication for Juniper Networks & Pulse Secure SSL VPN - FAQ

When did direct LDAP support for Juniper SSL VPN or Pulse Secure SSL VPN reach end of life?

Direct LDAP connectivity for Juniper and Pulse Secure SSL VPN reached end of life on February 20. 2025. Please see the article Guide to end of life for the Duo LDAP cloud service (LDAPS) used to provide 2FA for Cisco ASA, Juniper Networks Secure Access, and Pulse Secure Connect Secure SSL VPN for further details.

Do you support Ivanti-branded Connect Secure VPN?

Yes, please see our Duo Single Sign-On for Ivanti Connect Secure for a SAML solution or Duo Two-Factor Authentication with RADIUS for Ivanti Secure Access SSL VPN for a RADIUS solution.

Can I use Universal Prompt with Juniper SSL VPN, Pulse Connect Secure VPN, or Ivanti Connect Secure?

Yes, via SAML 2.0 federation with Duo Single Sign-On. Please see the SAML configuration instructions for Ivanti Connect Secure. These same instructions may work with Juniper and Pulse firmware but we only test against Ivanti-branded firmware.

Do you support the Pulse Client?

Yes, our RADIUS and SAML configurations work with the Pulse client.

I'm seeing "You are not allowed to sign in. Please contact your administrator." during secondary authentication.

If you created a new Authentication Realm within your Juniper instead of using the default, make sure that you have assigned an appropriate "Role" to the new Realm for any users who will be using this Realm.

I received a message saying "Invalid Base DN or Filter" when I am adding the Duo LDAP Authentication Server.

This message can be ignored. You can safely click the Save anyway button and proceed with the application install instructions.

Why does a browser window open during Pulse client login to Connect Secure 8.2R2 and later?

Ensure that you did not check the "Use Custom Page for Pulse Desktop Client Logon" when uploading the Duo custom sign-in page. Navigate to Authentication → Signing In → Sign-In Page and click the Duo sign-in page you uploaded earlier. If that option is selected, deselect it and save.

Why can my users no longer access file shares using SSO after enabling Duo?

You may need to adjust the SSO Resource Policy credentials settings. Log in to the Secure Access administration page, and navigate to Resource Policies > Files > Windows SSO.

Edit your existing Windows Credentials Policy (or create a new one). Modify the SSO Windows Credentials Policies Action settings as follows:

• Click the radio button next to Use Specified Credentials....
• Enter Domain<USERNAME> in the "Username" field.
• Enter <PASSWORD> in the "Variable Password" field.

Save your changes to the policy.

Additional Troubleshooting

Need more help? Try searching our Juniper Knowledge Base articles or Community discussions. For further assistance, contact Support.