Management
Reply
Visitor
RB72
Posts: 3
Registered: ‎02-08-2011
0
Accepted Solution

Configuring 2 factor authentication...

I am trying to configure a Juniper SA 2500 to do SafeWord authentication and am having 2 issues.  My configuration has “Active Directory / Windows NT” as the primary and a RADIUS server as the additional authentication server.

 

In general this works fine with two exceptions that I can't seem to work around.

 

1) The username entered is "gold" but when this name is sent to RADIUS it appears as "COLORS\gold" which doesn't match a SafeWord ID and causes a failed authentication.  'Gold' is the user, COLORS is the AD domain name.  This seems to be tied to the domain field found in the AD authentication server setup.  If I try to leave it blank I get "Invalid NT Domain or Active Directory" and it won't save.  If I change it to 'GGG' then what gets sent to the RADIUS server is 'GGG\gold'.  I would like it to just say 'gold'.

 

2) When the radius server is configured to have a "Custom Radius Authentication Rules" to show the defender page when it receives an Access-Challenge it does so but does NOT display the RADIUS Attribute Reply-Message which contains the asynchronous challenge.  It is in this return attribute that we present the challenge string they must enter into their token to get the corresponding Passcode.  Now in the RADIUS server's "Custom Radius Authentication Rules" section if instead I choose "show user login page with error" then the challenge is displayed but at the first logon screen and as an error.  They have to re-enter all values.  At least they know the challenge now.  This isn't pretty.

 

Any ideas would be appreciated.

 

 *******   Incoming RADIUS packet:   *******
radrecv: Packet from host 10.52.41.102, port=12001
Examining RFC 2138 Access-Request Packet:Identifier=80. Packet length=129.
01 50 00 81 33 46 0E F7 - 62 F1 5D BE B0 53 48 EC   .P..3F..b.]..SH.
46 AB 95 38 20 09 4A 75 - 6E 69 70 65 72 01 0D 43   F..8 .Juniper..C
4F 4C 4F 52 53 5C 67 6F - 6C 64 02 12 AE 74 A0 FF   OLORS\gold...t..
BF AE 7D 58 16 D2 DD DB - 0B 89 3A 7F 04 06 0A 34   ..}X......:....4
29 66 05 06 00 00 00 00 - 2C 39 43 4F 4C 4F 52 53   )f......,9COLORS
5C 67 6F 6C 64 28 73 61 - 66 65 77 6F 72 64 29 22   \gold(safeword)"
54 75 65 20 46 65 62 20 - 20 38 20 31 32 3A 33 37   Tue Feb  8 12:37
3A 32 32 20 32 30 31 31 - 22 53 75 37 62 67 50 2F   :22 2011"Su7bgP/
78                      -                           x
     RFC 2138 Attribute=1: (User-Name) Length=11
                  Value=COLORS\gold

*******   Outgoing RADIUS packet:   *******
Examining RFC 2138 Access-Challenge Packet:Identifier=236. Packet length=54.
0B EC 00 36 B3 7C 84 03 - E4 0E 8D 08 4F AA 3A 36   ...6.|......O.:6
F0 7D 77 C2 12 1C 43 68 - 61 6C 6C 65 6E 67 65 3A   .}w...Challenge:
20 35 36 37 34 20 52 65 - 73 70 6F 6E 73 65 3F 20    5674 Response?
18 06 35 36 37 34       -                           ..5674
Packet Authenticator=b3 7c 84 3 e4 e 8d 8 4f aa 3a 36 f0 7d 77 c2
     RFC 2138 Attribute=18: (Reply-Message) Length=26
                  Value=Challenge: 5674 Response?
     RFC 2138 Attribute=24: (State) Length=4
                  Value=35 36 37 34

Distinguished Expert
muttbarker
Posts: 2,372
Registered: ‎01-29-2008

Re: Configuring 2 factor authentication...

I am traveling so I don't have access to my SSL box as an administrator but I have done some two factor  - So two comments from memory:

1- On the Realm setup - are you passing the username variable back to your second authentication server? If so what variable are you using. <USER> will pass the domain and name, <USERNAME> is supposed to only pass the name.

 

2- Following is a link to a thread that I created a while back. It might be helpful to you in regards to your second issue of getting the challenge response back.

 

Let me know if either of these help. Struggled with this until I got it figured out myself.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Regular Visitor
CebNM
Posts: 9
Registered: ‎04-27-2009
0

Re: Configuring 2 factor authentication...

We have a different 2-factor vendor but this is how we have things setup:

 

On the Custom Radius Rule we have:

-Response Packet Type = Access Challenge

---Radius Attribute = Reply Message

---Operand = matches the expression

---Value = (.*)

-Then take action = show Generic Logon Page

Visitor
RB72
Posts: 3
Registered: ‎02-08-2011
0

Re: Configuring 2 factor authentication...

[ Edited ]

Thanks for the feedback....   Lets see  Issue 1 is resolved.

 

1- On the Realm setup - are you passing the username variable back to your second authentication server? If so what variable are you using. <USER> will pass the domain and name, <USERNAME> is supposed to only pass the name.

 

Thank you, thank you, thank you.  Worked like a champ!!!  <USERNAME> is just what was needed.

 

Issue #2 is still not resolved.

My configuration for Access Challenge is identical. and I do get the Challenge/Response page, however the Challenge is blank.  It does not echo what was sent in the Acces-Challenge packet's Reply-Message attribute.

 

 

Distinguished Expert
muttbarker
Posts: 2,372
Registered: ‎01-29-2008

Re: Configuring 2 factor authentication...

Howdy - You know in my previous post I realized that I forgot to include the link to my explaination of how I got the two factor to work. So here it is:

 

http://forums.juniper.net/t5/SSL-VPN/Using-SSL-VPN-with-radius-challenge-and-response-hard-token/m-p...

 

In looking at your screen capture I see the problem. You do not have the syntax correct. You have the following:

 

.*) --- Shown in the page one display as (Reply Message matches the expression ".*)"

 

You need to have:

(.*) --- Shown in the page one display as (Reply Message matches the expression "(.*)")

 

This missing open parentheses is what is wrong.

 

 

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Visitor
RB72
Posts: 3
Registered: ‎02-08-2011
0

Re: Configuring 2 factor authentication...

I have confirmed that both issues are now resolved.  The "(.*)" mentioned above fixes the challenge not displaying what is in the Reply-Message attribute.

 

Thanks all involved.   Kudos!

Distinguished Expert
muttbarker
Posts: 2,372
Registered: ‎01-29-2008
0

Re: Configuring 2 factor authentication...

Hey RB - thank you very much for coming back and updating the post. Believe it or not I actually look at my old posts pretty regularily to see if I get feeback on my answers. Appreciate hearing that it worked!

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Trusted Contributor
michael.saw
Posts: 1,048
Registered: ‎09-26-2011
0

Re: Configuring 2 factor authentication...

Hi,

Anyone can share links to Juniper KB on theimplementation of 2FA on Juniper SSL VPN?
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.