Skip navigation
Documentation

Duo Two-Factor Authentication for Juniper Networks & Pulse Secure SSL VPN - FAQ

Last Updated: March 21st, 2023

Duo integrates with your Juniper Networks Secure Access or Pulse Secure Connect Secure SSL VPN to add two-factor authentication to any VPN login, complete with inline self-service enrollment and Duo Prompt.

Do you support Ivanti-branded Connect Secure VPN?

Yes, please see our Duo Single Sign-On for Ivanti Connect Secure for a SAML solution or Duo Two-Factor Authentication with RADIUS for Ivanti Secure Access SSL VPN for a RADIUS solution.

Does the transition of the SSL VPN and Pulse client products from Juniper to Pulse Secure affect our application?

The Junos Pulse technologies transitioned from Juniper Networks to a new, independent business: Pulse Connect. As of October 2014 there are no fundamental changes to the Pulse software or SSL VPN gateways. The Pulse Connect SSL VPN from Pulse Secure continues to work with Duo, and the configuration process remains essentially the same.

Do you support the Pulse Client?

Yes, our Secure Access SSL VPN configuration works with the Pulse client. Users type in the name of a Duo factor or a passcode when prompted by the client application.

Pulse Client Secondary Authentication Prompt

The end user experience is documented in our Pulse End User Guide.

Do you support the Juniper Network Connect?

Yes, our Secure Access SSL VPN configuration works with Juniper Network Connect.

Do you support the Juniper MAG series?

Yes, our Secure Access SSL VPN configuration can also be used to protect the Juniper MAG series.

Which configuration method should I use?

The standard SA/IVE configuration is the recommended integration method for Juniper SA/IVE VPNs. However, the alternate configuration method provides "failmode" control (what to do if network connectivity with Duo is lost) and the ability to integrate Duo into a single Juniper sign-in url with multiple authentication realms.

My Juniper MAG, SA or IVE VPN does not support customized login pages.

Try the alternate configuration, which doesn't require uploading custom login pages.

I receive a warning when uploading the Duo custom sign-in page template.

You may receive the messages "WARNING: Page Logout is out of date. It is recommended you re-customize this page from the latest sample zip file" and "WARNING: Page PleaseWait is out of date. It is recommended you re-customize this page from the latest sample zip file" when you upload the Duo custom sign-in pages template zip file to your Juniper/Pulse SSL VPN device running release 8.2 or later.

These warnings may be ignored and do not affect Duo authentication.

I'm seeing "You are not allowed to sign in. Please contact your administrator." during secondary authentication.

If you created a new Authentication Realm within your Juniper instead of using the default, make sure that you have assigned an appropriate "Role" to the new Realm for any users who will be using this Realm.

I received a message saying "Invalid Base DN or Filter" when I am adding the Duo LDAP Authentication Server.

This message can be ignored. You can safely click the Save anyway button and proceed with the application install instructions.

Why does a browser window open during Pulse client login to Connect Secure 8.2R2 and later?

Ensure that you did not check the "Use Custom Page for Pulse Desktop Client Logon" when uploading the Duo custom sign-in page. Navigate to AuthenticationSigning InSign-In Page and click the Duo sign-in page you uploaded earlier. If that option is selected, deselect it and save.

Why can my users no longer access file shares using SSO after enabling Duo?

You may need to adjust the SSO Resource Policy credentials settings. Log in to the Secure Access administration page, and navigate to Resource Policies > Files > Windows SSO.

Edit your existing Windows Credentials Policy (or create a new one). Modify the SSO Windows Credentials Policies Action settings as follows:

  • Click the radio button next to Use Specified Credentials....
  • Enter Domain<USERNAME> in the "Username" field.
  • Enter <PASSWORD> in the "Variable Password" field.

Save your changes to the policy.

Windows Credentials Policy

Is it possible to customize the Duo SSL VPN sign-in page title and text?

You may customize the page title and portal name text on the sign-in page created when you upload the Duo package to your SSL VPN device.

After downloading the Duo Juniper package from the Admin Portal, unzip the file and locate the LoginPage.thtml file.

Open LoginPage.thtml in a text editor and make your desired customizations:

  • To change the page title from the default value "Secure Access SSL VPN ", locate the string <title><% title FILTER verbatim %></title> and replace <% title FILTER verbatim %> with your new title.

    Example: <title>Acme SSL VPN</title>

  • To change the portal name from the default value "Secure Access SSL VPN ", locate the string <td nowrap colspan="3"><span class="cssLarge"><b><% portal FILTER verbatim %></b></span></td></tr> and replace <% portal FILTER verbatim %> with your new title.

    Example: <td nowrap colspan="3"><span class="cssLarge"><b>Acme SSL VPN</b></span></td></tr>

Compress the entire extracted Duo package contents (including your modified LoginPage.thtml file) into a new zip file. Be sure that when you create the new zip file you only include the previously extracted files and directories, and not the top-level directory that your extraction tool may have created; for example, if Windows extracted the contents to a new folder %TEMP%\Duo-Juniper-8.x-v5-1234-5678-90, do not include the Duo-Juniper-8.x-v5-1234-5678-90 folder itself in the zip file.

Upload the new sign-in page zip file to your SSL VPN device as shown in Duo's Juniper or Pulse Secure instructions.

SSL VPN sign-on page with default text:

Default Juniper SSL VPN sign-in page text

SSL VPN sign-on page with custom text:

Customized Juniper SSL VPN sign-in page text

You may also edit the other text on the page. Please see the Juniper KB article [SSL VPN] How to customize text on sign-in page for more information.

Feel free to customize the other areas of the sign-in page template as long as you avoid editing code between the START DUO SNIPPET and END DUO SNIPPET tags.

For more information about editing page templates, see the Custom Page Modification Guide (PDF).

Additional Troubleshooting

Need more help? Try searching our Juniper Knowledge Base articles or Community discussions. For further assistance, contact Support.