Enabling Two-Factor Authentication on Juniper VPN

This Juniper VPN 2FA guide shows how to enable two-factor authentication (2FA / MFA) for Juniper Secure Access SSL VPN using the Protectimus Cloud 2FA Service or On-Premise 2FA Platform.

Protectimus integrates with Juniper Secure Access SSL VPN via RADIUS authentication protocol to add two-factor authentication (2FA) to VPN logins.

In this scenario, the Protectimus two-factor authentication solution for Juniper VPN 2FA performs as a RADIUS server, and the Juniper Secure Access SSL VPN takes the role of a RADIUS client. You will find the scheme of work of the Protectimus solution for Juniper VPN two-factor authentication below.

1. How Two-Factor Authentication (2FA) Works for Juniper VPN

Two-factor authentication (2FA), also known as multi-factor authentication (MFA), is a must-have security measure for Juniper Secure Access SSL VPN. 2FA will protect Juniper VPN logins from such threats as phishing, brute force, data spoofing, social engineering, keyloggers, man-in-the-middle attacks, etc.

And this is how two-factor authentication for Juniper Secure Access SSL VPN works:

1. When a user initiates login to the Juniper VPN protected with two-factor authentication, first of all, they will enter the first authentication factor — their standard password and login (something they know).


2. Then they will be asked to enter a second authentication factor – a one-time passcode from the two-factor authentication token (a 2FA token is something the user has — usually, it is a smartphone or a physical OTP token looking like a keyfob).

This way, to get access to the Juniper Secure Access SSL VPN account protected with two-factor authentication, the fraudster has to get access to two authentication factors that differ in their nature. That is quite a challenging task. Moreover, a time-based one-time password remains active only for 30 seconds, which makes hacking way more complecated and almost impossible.

2. How to Enable Juniper VPN 2FA (Two-Factor Authentication)

You can set up Juniper VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure Juniper Secure Access SSL VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the Radius box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Juniper Secure Access SSL VPN using RADIUS are available in our Protectimus RADIUS Server Installation Guide for Juniper VPN 2FA.

2.3. Configure Juniper VPN RADIUS Server Profile

1. Log in to the Juniper administrative interface.
2. In the left menu, navigate to Authentication —> Auth Servers.
3. Select Radius Server from the drop down menu then click New Server.
4. In the Name field, enter Protectimus RADIUS.
5. Under the Primary Server section, enter the following information:

Radius Server	IP of server where the Protectimus RADIUS Server component is installed.
Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
Authentication Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Timeout	Set to 60 seconds.

6. Click Save Changes to save the RADIUS server profile.

2.4. Add a Custom Radius Rules to Juniper VPN

2.4.1. Create a rule for the Access Challenge packet

1. Scroll down to the Custom Radius Rules section.
2. Click on New Radius Rule.
3. In the Name field, enter Protectimus Radius Rule 1.
4. For the Response Packet Type, select Access Challenge.
5. Under the Then take action section, select Show Generic Login page.

6. Click Save Changes.

2.4.1. Create another rule for the Access Reject packet

1. Click on New Radius Rule.
2. In the Name field, enter Protectimus Radius Rule 2.
3. For the Response Packet Type, select Access Reject.
4. Under the Then take action section, select Show Generic Login page.
5. Click Save Changes.

2.5. Configure a User Realm

To configure a user realm for the Protectimus Radius server, you can do one or more of the following:

• Create a new realm for testing;
• Create a realm to gradually migrate users to the new system (for instance, by duplicating an existing realm);
• Use the default Users realm.

To add 2FA to a user realm:

1. In the left menu, navigate to Users —> User Realms and click the link for the user realm to which you want to add secondary authentication.
2. In the Authentication field, select Protectimus RADIUS and click Save Changes.

3. Add the newly created Protectimus RADIUS realm to the authentication realm.

• Click Authentication —> Signing In —> the relevant User URL.
• Move the newly created realm from the Available realms area to the Selected realms area.
• Click Save Changes.

Integration of two-factor authentication (2FA/MFA) for your Juniper Secure Access SSL VPN is now complete.

If you have other questions, contact Protectimus customer support service.