SSL VPN
Reply
Contributor
BHPCI
Posts: 10
Registered: ‎07-17-2009
0

Investigating multi-factor authentication for the SA4500

We need to implement multi-factor auth on our SA devices..Anyone have any experience, recommendations or tips to share?  

Distinguished Expert
muttbarker
Posts: 2,389
Registered: ‎01-29-2008
0

Re: Investigating multi-factor authentication for the SA4500

Well -pretty much any multi-factor authentication tool that is radius based will work just fine. I am sure you will get lots of replies but I have done implementations that involved sucessful integrations of the following into the SA box:

 

RSA (various tokens)

Quest Defender (various tokens)

Cryptocard (various tokens)

SecureAuth by Multifactor (certificate based)

 

 

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Trusted Contributor
rdit
Posts: 154
Registered: ‎07-04-2008
0

Re: Investigating multi-factor authentication for the SA4500

we are trying that aswell right now. i successfully added active directory and RSA/ACE authentication servers but i have some problems by connecting to the radius. but thats more a radius problem of my windows IAS (internetauthenticationserver), which isnt able to bring port 1812 for radius up. has anyone experience with that?

Contributor
Tessian
Posts: 77
Registered: ‎07-07-2008
0

Re: Investigating multi-factor authentication for the SA4500

We deployed 2 factor auth to our VPN environment by using AD username/password as the primary and User Certificates as the secondary.  All mapping is done by username, but the Realm does confirm that the certificate is legitimate (can check certain parts of the cert) before allowing them in.  This may not be an option for you, but we ended up developing a free solution to the certificates.  A developer of ours used openSSL for Windows and built a .NET website around it to allow users to request / generate their own certificates.  I don't know the specifics as to how he got it to work but I didn't get the impression it was especially difficult.  The IVE is configured to trust client certs from (and only from) the CA that openSSL is using and the website allows users to self-generate certs to use for it.

 

There are other solutions that work just as well but they will all cost.

Contributor
WiserRonin
Posts: 19
Registered: ‎01-08-2010
0

Re: Investigating multi-factor authentication for the SA4500

[ Edited ]

@rdit

 

I think what Windows IAS Radius runs auth on port 1645 and accounting on port 1646

 

John

Trusted Contributor
Mrkool
Posts: 252
Registered: ‎02-28-2008
0

Re: Investigating multi-factor authentication for the SA4500

we used to use RSA but have moved to VASCO (they have over 75million users using VASCO tokens compared to 25million to RSA) VASCO does everything that RSA does for 1/4th the cost

 

SA-6500 (7.3R3) Production
MAG 4610 (7.4) Lab
Contributor
tech_dude
Posts: 36
Registered: ‎02-26-2009
0

Re: Investigating multi-factor authentication for the SA4500

We've been using the Entrust Identityguard tokens with good success. 

 

We got them for virtually nothing. Here in Canada, the Fed Govt (PWGSC) has a govt wide contract for all Entrust products. So we got the Entrust IdentityGuard software for free, user CALs for free, updates and support for free...so all we've had to buy is the tokens @ 5$ each. 

 

Only thing I prefer about the RSA type tokens is no button. On the Entrust tokens there is a button to generate the code, and even with a decently sized drift window, we still have users who press the button soooo many times the tokens become out of sync. RSA type tokens have no buttons....

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.