In this tutorial we are adding two-factor authentication to a Juniper UAC as well as mutual https authentication for users with the PC token. Start on the Juniper server:
Add the WiKID Strong Authentication Server to the Juniper IC Series UAC
- Go to Auth Servers.
- From the New: dropdown menu, select RADIUS Server, and click New Server…
- Name the new RADIUS server WiKID-Test-RADIUS-Server.
- Verify that the NAS-Identifier field is populated with the hostname of your IC. If not, enter the hostname in that field. (Populated from Network > Overview > Hostname field.)
- In the RADIUS Server: field, enter the IP address of the WiKID RADIUS server.
- Verify that the authentication and accounting ports are set to 1812/1813.
- In the Shared Secret: field, enter the RADIUS secret (e.g. juniper).
- If your IC is behind a NAT, enter the external address of the NAT in the NAS-IP-Address field. If your IC is not behind a NAT, leave this field blank.
- Click Save Changes.
- Go to Auth Servers and verify that the RADIUS server instance was created successfully.
Define user role
- Go to User Roles > New User Role...
- Name the new role WiKID-Test-Role, then click Save Changes.
- Go to User Roles and verify that the new role was created successfully.
- Go to User Roles > WiKID-Test-Role > Agent > General. Uncheck Install Agent for this role, then click Save Changes.
- Go to User Roles > WiKID-Test-Role > Agentless. Check Enable Agentless Access for this role, then click Save Changes.
Define user realm and role mapping
- Go to User Realms > New User Realm…
- Name the new realm (for example WiKID-Test-Realm).
- From the Authentication: dropdown menu, select WiKID-Test-RADIUS-Server.
- Click Save Changes.
- Go to User Realms > WiKID-Test-Realm > Role Mapping, and click New Rule…
- Verify that the Role Based On: dropdown menu is set to Username.
- In the Name: field, enter a rule name (e.g. Allow-All-Users).
- Under Rule: If username…, verify that the dropdown menu is set to is, then enter * in the username field.
- From the Available Roles list, select WiKID-Test-Role, then click Add to move it to the Selected Roles list.
- Click Save Changes, and verify that the new rule was created successfully.
Define sign-in URL
- Go to Signing In > Sign-In Policies, and click New URL…
- In the Sign-in URL: field, enter */wikid/.
- From the Sign-in page dropdown menu, select Default Sign-In Page.
- From the Available Realms dropdown menu, select WiKID-Test-Realm, then click Add. (The authentication protocol set will be set to Not applicable by default.)
- Click Save Changes, and verify that the new sign-in policy was created successfully.
Define resource access policies
-
Go to Infranet Enforcer > Resource Access, and click New Policy...
-
Name the new policy WiKID-Test-Access-Policy.
-
In the Resources field, enter *:*.
-
Under Roles, verify that Policy applies to ALL roles is selected.
-
Under Action, verify that Allow access is selected.
-
Click Save Changes, and verify that the new policy was created successfully.
Add the Juniper UAC to the WiKID server
On the WiKID Server, be sure to enable Radius:
- Click on the 'Configuration' tab in the WiKIDAdmin web interface.
- Click on 'Enable Protocols'
- If Radius is not Enabled, click on it.
- You should be able to leave the settings as is and click 'Initialize'.
Next we add a specific network client for the Juniper:
- Click on the 'Network Client' Tab
- Click on 'Create New Network' Client
- Create a name such as "Juniper Two-factor VPN"
- Choose a WiKID domain to the network client
- Select 'Radius' as the protocol
- Click 'Add'
- On the next page, enter the Shared Secret created above. Leave the Return Attributes empty (unless you know what you're doing)
- Click 'Add NC'
- From a terminal window, stop and start the WiKID Strong Authentication Server (wikidctl restart). This will open up the firewall port to the new network client.
Configure Mutual HTTPS Authentication for Additional Security
The WiKID Strong Authentication System supports strong mutual authentication for SSL services such as the Juniper. Strong mutual HTTPS authentication will thwart network-based MITM attacks which are increasingly simple due to DNS problems and the prevalence of public WiFi networks.
To add mutual authentication for your Juniper users:
- Go to the WiKID domain page and edit the domain used for the Juniper.
- Enter the URL of the Juniper box (https://yourIPAddress/wikid) portal in the "Registered URL" box.
- Click Update
When you click "Update", the WiKID server will grab the SSL certificate for the Juniper server and store it. When a user generates an one-time password for that domain, the hash and the registered URL will be delivered with the OTP. The token will go out over the user's connection to the registered URL and get and hash the SSL certificate. If the hashes match, the token presents the OTP, copies it to the clipboard and launches the default browser to the correct URL. Quite simple for the user! If they don't match, there is a MITM and an error is presented.
Testing and Troubleshooting
Close the browser you used to configure the Juniper box (if it was your default browser). Start your WiKID token. Select the domain associated with the Juniper server. Enter your PIN. The one-time passcode should be presented and the default browser should be launched to the Registered URL, in this case https://yourIPAddress/wikid. Enter your username and copy the OTP from the clipboard into the password box.
If the authentication fails, go back to the IC Admin UI. Go to Log / Monitoring > User Access > Log, and review the log entries to see the cause of the error. Possible causes include
· lack of connectivity to the RADIUS Server
· incorrect RADIUS ports
· incorrect RADIUS shared secret
· incorrect username / password
On the WiKID server, check the WiKIDAdmin logs (link on the top right). Set the log level to debug and filter the results. If the last thing you see is the passcode request, then chances are the radius packets are not reaching the WiKID server from the Juniper. If there is an authentication problem, check that the user is enabled. You may want to enable Radius debugging.
