See our alternate instructions if you'd like to control the "failmode" (how the system will act if network communication with Duo is interrupted) or integrate Duo into a single Connect Secure sign-in URL with multiple authentication realms.

Walkthrough Video

First Steps

Before starting to add two-factor authentication to your Pulse Connect Secure, make sure that Duo is compatible with your Pulse Secure Access SSL VPN. Log on to your Pulse administrator interface and verify that your firmware is version 8.3 or later.

You should also have a working primary authentication configuration for your SSL VPN users, e.g. LDAP authentication to Active Directory.

Then you'll need to:

1. Sign up for a Duo account.
2. Log in to the Duo Admin Panel and navigate to Applications.
3. Click Protect an Application and locate Juniper SSL VPN in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. (See Getting Started for help.)
4. Download the Duo Juniper 8.x package zip file for your device's firmware version from the Duo Admin Panel (even for Pulse 9.0 devices). This file is customized for your account and has your Duo account ID appended to the file name (after the version).

Modify the Sign-In Page

1. Log on to your Pulse Conect Secure SSL VPN administrator web interface.

2. Navigate to Authentication → Signing In → Sign-in Pages, click Upload Custom Pages..., and fill in the form:

   Field	Value
   Name	Duo
   Page type	Access
   Templates file	Upload the Duo Juniper package zip file downloaded from the Duo Admin Panel earlier. Your file name will differ from the example image below.

3. Do not select the "Use Custom Page for Pulse Desktop Client Logon" or "Prompt the secondary credentials on the second page" options, if present.

4. Check the Skip validation checks during upload box.

   

5. Click Upload Custom Pages. You may ignore any warnings.

Add the Duo LDAP Server

1. Navigate to Authentication → Auth. Servers.

   Select LDAP Server from the Auth Server Type list, click New Server, and fill out the form:

   Field	Value
   Name	Duo-LDAP
   LDAP Server	Your API hostname (i.e. api-XXXXXXXX.duosecurity.com)
   LDAP Port	636
   LDAP Server Type	Generic
   Connection	LDAPS

   

2. In the "Authentication required?" section, check the Authentication required to search LDAP box and fill in the form (replacing INTEGRATION_KEY and SECRET_KEY with your application-specific keys).

   Field	Value
   Admin DN	dc=INTEGRATION_KEY,dc=duosecurity,dc=com
   Password	SECRET_KEY

3. In the "Finding user entries" section:

   Field	Value
   Base DN	dc=INTEGRATION_KEY,dc=duosecurity,dc=com
   Filter	cn=<USER>

   

4. Click Save Changes. (After you click Save you might receive a message indicating that the LDAP server is unreachable. You can disregard this message.)

Configure a User Realm

To configure a user realm for the Duo LDAP server, you can do one or more of the following:

• Create a new realm for testing
• Create a realm to gradually migrate users to the new system (for instance, by duplicating an existing realm)
• Use the default Users realm

If you create a new realm as part of deploying Duo, be sure to create role mapping rules to add users to the new realm.

To add 2FA to a user realm:

1. Navigate to Users → User Realms and click the link for the user realm to which you want to add secondary authentication (in our example we're using a realm named "Duo-Users").

2. While on the user realm's "General" tab, expand the "Additional Authentication Server" section, select the Enable additional authentication server check box, and fill out the form:

   Field	Value
   Authentication #2	Duo-LDAP
   Username is	predefined as <USERNAME>
   Password is	specified by user on sign-in page

3. Check the End session if authentication against this server fails box.

   

4. Click Save Changes.

5. Click the Authentication Policy tab at the top of the page and then click Password.

6. In the "Options for additional authentication server" section, select Allow all users.

   

7. Click Save Changes.

Configure the Sign-In Policy for Secondary Authentication

To finish setting up your integration, configure a sign-in policy for secondary authentication. In this example we'll use the default */ URL policy, but you can set up a new sign-in policy at a custom URL (like */Duo-testing/) for testing.

1. Navigate to Authentication → Signing In → Sign-in Policies tab.
2. Click the link for the sign-in policy that you want to modify.

3. Select the Duo from the Sign-in page list.

   

4. In the "Authentication realm" section, choose User picks from a list of authentication realms....

5. Choose the user realm you configured earlier, and click Add to move it to the Selected realms box on the right. Make sure this is the only selected realm for this sign-in page.

   

6. Click Save Changes.

Test Your Setup

To test your Pulse Connect Secure two-factor authentication setup, go to the URL that you defined for your sign-in policy. After you complete primary authentication, the Duo enrollment/login prompt appears.

Troubleshooting

Need some help? Take a look at the Pulse Connect Secure Frequently Asked Questions (FAQ) page or try searching our Pulse Connect Secure Knowledge Base articles or Community discussions. For further assistance, contact Support.

Network Diagram

1. SSL VPN connection initiated
2. Primary authentication
3. Pulse Connect Secure connection established to Duo Security over TCP port 636
4. Secondary authentication via Duo Security’s service
5. Pulse Connect Secure receives authentication response
6. SSL VPN connection established