Security Management

  • 1.  Configuring 2 factor authentication...

    Posted 02-08-2011 13:29

    I am trying to configure a Juniper SA 2500 to do SafeWord authentication and am having 2 issues.  My configuration has “Active Directory / Windows NT” as the primary and a RADIUS server as the additional authentication server.

     

    In general this works fine with two exceptions that I can't seem to work around.

     

    1) The username entered is "gold" but when this name is sent to RADIUS it appears as "COLORS\gold" which doesn't match a SafeWord ID and causes a failed authentication.  'Gold' is the user, COLORS is the AD domain name.  This seems to be tied to the domain field found in the AD authentication server setup.  If I try to leave it blank I get "Invalid NT Domain or Active Directory" and it won't save.  If I change it to 'GGG' then what gets sent to the RADIUS server is 'GGG\gold'.  I would like it to just say 'gold'.

     

    2) When the radius server is configured to have a "Custom Radius Authentication Rules" to show the defender page when it receives an Access-Challenge it does so but does NOT display the RADIUS Attribute Reply-Message which contains the asynchronous challenge.  It is in this return attribute that we present the challenge string they must enter into their token to get the corresponding Passcode.  Now in the RADIUS server's "Custom Radius Authentication Rules" section if instead I choose "show user login page with error" then the challenge is displayed but at the first logon screen and as an error.  They have to re-enter all values.  At least they know the challenge now.  This isn't pretty.

     

    Any ideas would be appreciated.

     

     *******   Incoming RADIUS packet:   *******
    radrecv: Packet from host 10.52.41.102, port=12001
    Examining RFC 2138 Access-Request Packet:Identifier=80. Packet length=129.
    01 50 00 81 33 46 0E F7 - 62 F1 5D BE B0 53 48 EC   .P..3F..b.]..SH.
    46 AB 95 38 20 09 4A 75 - 6E 69 70 65 72 01 0D 43   F..8 .Juniper..C
    4F 4C 4F 52 53 5C 67 6F - 6C 64 02 12 AE 74 A0 FF   OLORS\gold...t..
    BF AE 7D 58 16 D2 DD DB - 0B 89 3A 7F 04 06 0A 34   ..}X......:....4
    29 66 05 06 00 00 00 00 - 2C 39 43 4F 4C 4F 52 53   )f......,9COLORS
    5C 67 6F 6C 64 28 73 61 - 66 65 77 6F 72 64 29 22   \gold(safeword)"
    54 75 65 20 46 65 62 20 - 20 38 20 31 32 3A 33 37   Tue Feb  8 12:37
    3A 32 32 20 32 30 31 31 - 22 53 75 37 62 67 50 2F   :22 2011"Su7bgP/
    78                      -                           x
         RFC 2138 Attribute=1: (User-Name) Length=11
                      Value=COLORS\gold

    *******   Outgoing RADIUS packet:   *******
    Examining RFC 2138 Access-Challenge Packet:Identifier=236. Packet length=54.
    0B EC 00 36 B3 7C 84 03 - E4 0E 8D 08 4F AA 3A 36   ...6.|......O.:6
    F0 7D 77 C2 12 1C 43 68 - 61 6C 6C 65 6E 67 65 3A   .}w...Challenge:
    20 35 36 37 34 20 52 65 - 73 70 6F 6E 73 65 3F 20    5674 Response?
    18 06 35 36 37 34       -                           ..5674
    Packet Authenticator=b3 7c 84 3 e4 e 8d 8 4f aa 3a 36 f0 7d 77 c2
         RFC 2138 Attribute=18: (Reply-Message) Length=26
                      Value=Challenge: 5674 Response?
         RFC 2138 Attribute=24: (State) Length=4
                      Value=35 36 37 34



  • 2.  RE: Configuring 2 factor authentication...

    Posted 02-08-2011 15:31

    I am traveling so I don't have access to my SSL box as an administrator but I have done some two factor  - So two comments from memory:

    1- On the Realm setup - are you passing the username variable back to your second authentication server? If so what variable are you using. <USER> will pass the domain and name, <USERNAME> is supposed to only pass the name.

     

    2- Following is a link to a thread that I created a while back. It might be helpful to you in regards to your second issue of getting the challenge response back.

     

    Let me know if either of these help. Struggled with this until I got it figured out myself.



  • 3.  RE: Configuring 2 factor authentication...

    Posted 02-09-2011 15:05

    Thanks for the feedback....   Lets see  Issue 1 is resolved.

     

    1- On the Realm setup - are you passing the username variable back to your second authentication server? If so what variable are you using. <USER> will pass the domain and name, <USERNAME> is supposed to only pass the name.

     

    Thank you, thank you, thank you.  Worked like a champ!!!  <USERNAME> is just what was needed.

     

    Issue #2 is still not resolved.

    My configuration for Access Challenge is identical. and I do get the Challenge/Response page, however the Challenge is blank.  It does not echo what was sent in the Acces-Challenge packet's Reply-Message attribute.

     

     



  • 4.  RE: Configuring 2 factor authentication...
    Best Answer

    Posted 02-10-2011 12:56

    Howdy - You know in my previous post I realized that I forgot to include the link to my explaination of how I got the two factor to work. So here it is:

     

    http://forums.juniper.net/t5/SSL-VPN/Using-SSL-VPN-with-radius-challenge-and-response-hard-token/m-p/9676#M2079

     

    In looking at your screen capture I see the problem. You do not have the syntax correct. You have the following:

     

    .*) --- Shown in the page one display as (Reply Message matches the expression ".*)"

     

    You need to have:

    (.*) --- Shown in the page one display as (Reply Message matches the expression "(.*)")

     

    This missing open parentheses is what is wrong.

     

     



  • 5.  RE: Configuring 2 factor authentication...

    Posted 03-15-2011 12:18

    I have confirmed that both issues are now resolved.  The "(.*)" mentioned above fixes the challenge not displaying what is in the Reply-Message attribute.

     

    Thanks all involved.   Kudos!



  • 6.  RE: Configuring 2 factor authentication...

    Posted 03-15-2011 17:36

    Hey RB - thank you very much for coming back and updating the post. Believe it or not I actually look at my old posts pretty regularily to see if I get feeback on my answers. Appreciate hearing that it worked!



  • 7.  RE: Configuring 2 factor authentication...

    Posted 05-21-2013 19:40
    Hi,

    Anyone can share links to Juniper KB on theimplementation of 2FA on Juniper SSL VPN?


  • 8.  RE: Configuring 2 factor authentication...

    Posted 07-17-2019 15:48

    Hello,

     

    Did you ever get a working configs of 2FA for Dynamic VPN connection?  I have got Radius Configs and Authentication working fine, now I need to install DUO 2FA, not finding any cmd line instructions.

     

    Thanks,



  • 9.  RE: Configuring 2 factor authentication...

    Posted 02-09-2011 07:31

    We have a different 2-factor vendor but this is how we have things setup:

     

    On the Custom Radius Rule we have:

    -Response Packet Type = Access Challenge

    ---Radius Attribute = Reply Message

    ---Operand = matches the expression

    ---Value = (.*)

    -Then take action = show Generic Logon Page