Skip to main content

Juniper

Introduction#

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

RADIUS is a protocol commonly used to authenticate, authorize, and account for user access and actions. Acceptto offers a simple solution for adding MFA to Juniper VPN via its Radius solution. This step-by-step integration guide illustrates how to configure Juniper VPN and Acceptto RADIUS MFA authentication solution.

Pre-Requisites#

  1. An Acceptto RADIUS Agent that is configured and connected to your user directory (for example Microsoftā„¢ ā€˜Active Directoryā„¢ā€™) (See this page for the instructions).
  2. A user with administrative privileges for the vSRX device.

Configure the Accepttoā„¢ RADIUS Agent#

To integrate Acceptto with your Juniper Firewall, you will need to install an Acceptto RADIUS Agent on a machine within your network. This server will receive RADIUS requests from your Juniper Firewall, check with LDAP server to perform primary authentication, and then contact Acceptto cloud service for secondary authentication.

  1. Login to the Acceptto RADIUS Agent with an administrative user and open the radius-agent-config.env file with an editor. It is located in the installed directory of RADIUS Agent. RADIUS clients are configured in this setting.

    Acceptto agent config

  2. Go to the bottom of radius-agent-config.env file and change the ARA_CLIENTS attribute as follows. The values should be separated by semicolons (;).

    ARA_CLIENTS = An optional name for your Okta;IP address of your Okta agent; a shared secret

    An example configuration might look like this:

    ARA_CLIENTS = Okta;192.168.10.10/32;testing12345

    radius terminal

  3. Save file and run the following command for set changes:

    docker-compose down && docker-compose up -d

Configure the Juniper vSRX device#

  1. Log into Juniper device with an administrative user and change to the configuration mode. All of the subsequent steps in this guide assume that you will remain in configuration mode.

  2. Create an IP address pool for your VPN clients: 

    set access address-assignment pool vpn-pool family inet network <addresses for your VPN clients> xauth-attributes primary-dns <the IP address of the DNS server>

  3. Create an access profile for the RADIUS Agent by typing the following commands.

    set access profile acceptto-radius authentication-order radiusset access profile acceptto-radius address-assignment pool vpn-poolset access profile acceptto-radius radius-server <the RADIUS Agent IP address> timeout 120 retries 2 secret <the shared secret configured in the Acceptto RADIUS Agent>Commit

    Note that the timeout is extended to give users enough time to authenticate the push notification. You can reduce this timeout based on user feedback. The number of retries by default is 2, but you can remove it if you do not wish to give the user multiple authentication attempts.

  4. Create an IKE proposal configuration by typing the following commands. You may need to customize this configuration depending on your security policy; this example is just the basic setup.

    set security ike proposal ike-proposal1 authentication pre-shared-keysset security ike proposal ike-proposal1 dh-group group20set security ike proposal ike-proposal1 authentication-algorithm sha-384set security ike proposal ike-proposal1 encryption-algorithm aes-256-cbcset security ike proposal ike-proposal1 lifetime-seconds 86400Commit

  5. Create a policy that uses the proposal above and authenticates the client using a pre-shared key:

    set security ike policy ike-policy1 mode aggressiveset security ike policy ike-policy1 proposals ike-proposal1set security ike policy ike-policy1 pre-shared-key ascii-text <the preshared key for your clients>Commit

  6. Create a gateway to terminate the VPN connections. Note that the user-at-hostname and connections-limit are dependent on your environment and your Juniper license, respectively.

    set security ike gateway gateway1 ike-policy ike-policy1set security ike gateway gateway1 dynamic user-at-hostname <user@junipervpn.example.com>set security ike gateway gateway1 dynamic connections-limit <X>set security ike gateway gateway1 external-interface <interfaceX>set security ike gateway gateway1 version v1-onlyCommit

  7. Create a tunnel interface that is going to handle the traffic between the external and internal zones.

    set interfaces st0 unit 0 family inetCommit

  8. Create an IPSEC proposal for VPN clients.

    set security ipsec proposal ipsec-proposal1 protocol espset security ipsec proposal ipsec-proposal1 authentication-algorithm hmac-sha-256-128set security ipsec proposal ipsec-proposal1 encryption-algorithm aes-256-cbcset security ipsec proposal ipsec-proposal1 lifetime-seconds 32400Commit

  9. Create an IPSEC policy for the VPN clients.

    set security ipsec policy ipsec-policy perfect-forward-secrecy keys group20set security ipsec policy ipsec-policy proposals ipsec-proposal1commit

  10. Create the VPN. Bind the interfaces and policy, and associated traffic selectors.

    set security ipsec vpn remote-vpn1 bind-interface st0.0set security ipsec vpn remote-vpn1 ike gateway gateway1set security ipsec vpn remote-vpn1 ipsec-policy ipsec-policyset security ipsec vpn remote-vpn1 traffic-selector ts1 local-ip 10.0.0.0/24set security ipsec vpn remote-vpn1 traffic-selector ts1 remote-ip 0.0.0.0/0

Configure the NCP VPN client#

  1. Open the NCP user interface and select the Configuration tab. Select Profiles from the dropdown.

NCP user interface

  1. The profile configuration menu is presented, select Add:

NCP profiles

  1. In the new profile wizard window, select Manually configure profile and click Next.

NCP adding new profile

  1. Enter a friendly name for the new VPN client configuration in the Profile Name field and select Next.

NCP name profile

  1. Select the media over which the VPN is going to be connected. In this example, we are using LAN. Then, select Next.

NCP communication medium selection

  1. Select the usage of certificates to authenticate the client. Certificates are recommended. Select Next.

NCP certificate usage

  1. Configure the VPN gateway and then select Next.

NCP VPN gateway parameters

  1. Select the Diffie-Hellman (DH) group to use. This group must match the DH group configured in the vSRX device. Select Next.

NCP IPsec configuration

  1. Select the user identity that identifies the tunnel to the device. In this example, we are using user@domain. It must match the configuration from step 8 of ā€œConfigure the Juniper vSRX device.ā€ Click Finish.

NCP IKE ID value

  1. When the profile configuration menu appears, select Edit > IPSEC General Settings. Review the settings and ensure they exactly match the configuration on the vSRX device.

Profile settings for MyVPN

  1. Optionally, you may select Policy Editor and create IKE and IPSEC policies that match the configuration in the vSRX device.

IPsec general settings

  1. Edit the IKE policy by providing a valid name and setting the authentication method for the tunnel, encryption, and hashing algorithms to match the tunnel IKE configuration. Then select OK.

IKE Policy

  1. Edit the IPSEC policy. Provide a friendly name and select the Protocol, Encryption, and Authentication algorithms that match the tunnel IPSEC configuration. Then select OK.

Editing IPsec policy

Test Your Setup#

  1. Open the newly configured NCP VPN client and select the sliding control to connect to the Internet.

NCP VPN client

  1. The VPN client prompts the user for authentication. The user must input a valid Active Directory username and password.

VPN credentials

  1. The VPN client sends the credentials to the vSRX device, and the vSRX authenticates the user to RADIUS. If the userā€™s credentials are correct, the user is prompted to approve the authentication by the Itā€™sMe mobile application, and is then logged in.

  2. What to look for if the connection is unsuccessful:

    a. If login fails, displaying the message ā€œPAP/CHAP error Wrong User ID or password (VPN)ā€: The user has most likely mistyped their password or has not acknowledged the push notification from the Itā€™sMe application.

    b. If the message ā€œVPN error RECV-MSG2-AGGR-PSK -> invalid preshared key,ā€ is displayed: Go to Configuration, select Profiles, edit the profile in use, select Identities and check the pre-shared configuration by re-typing the pre-shared key.

    c. If the message ā€œVPN error Could not resolve VPN gateway name (DNS),ā€ is displayed: Ensure that your DNS server can resolve the host you are trying to contact. For example, use the ping command.

    d. If the message ā€œVPN error Connection to VPN gateway failed. Please check your internet connection,ā€ is displayed: Verify if the security zone or any in-between firewall is blocking IPSEC connections.

Support#

If you require assistance, please email us at support@acceptto.com

Sales#

Want to learn more about our MFA solutions? Contact our Professional Services for a Demo today.

Disclaimer#

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the Acceptto Corporation.