Previous Topic: Creating RADIUS ClientsNext Topic: Verifying Juniper SSL VPN Integration

CA Adapter Juniper SSL VPN Configuration GuidePerforming Post-Installation TasksConfiguring Juniper SSL VPN

Configuring Juniper SSL VPN

You must configure the Juniper SSL VPN appliance after you have successfully configured the RADIUS protocol support and added a RADIUS client in AuthMinder.

To configure the Juniper SSL VPN appliance:

  1. Log in to Juniper SSL VPN Administration Console.

    The login screen of the Juniper SSL VPN Administration Console opens.

    On successful authentication, the Juniper SSL VPN appliance grants access to the user.

  2. Add an authentication server for the RADIUS-based authentication, as follows:
    1. In the left pane, click Auth Servers in the Authentication section.

      The Authentication Servers page opens.

    2. From the New drop-down list, select Radius Server and then click New Server.

      The New Radius Server page opens.

    3. Use the information provided in the following table to enter the fields in the first section of this page.

Field Name

Required/

Optional

Description

Name

Required

Specify a name for the RADIUS Server.

NAS-Identifier

Optional, if NAS-IP-Address is specified

Specify the Fully Qualified Distinguished Name (FQDN) of the client to identify itself to the RADIUS server.

Radius Server

Required

Specify the FQDN or IP address of RADIUS Server.

Authentication Port

Required

Specify the port at which RADIUS Server is available.

Default value: 1812

Shared Secret

Required

The shared secret that you specify here must match the Shared Secret Key value that you specified on the RADIUS Configuration page while configuring AuthMinder.

Accounting Port

Required

Specify the port at which the RADIUS accounting service is available.

Default value: 1813

NAS-IP-Address

Optional, if NAS-Identifier is specified

Specify the IP address of the client to identify itself to the RADIUS server.

Timeout

Required

Specify the time (in seconds) before the system times out.

Retries

Required

Specify the number of times a user is allowed to try to authenticate.
  1. Select the Users authenticate using tokens or one-time passwords check box.
  2. Similarly, refer to the preceding table to specify information for the Backup server section.
  3. (Optional) Specify the information in the Radius accounting section, if you are using an authorization server.
  4. (Optional) Specify the information in the Custom Radius Rules section, if required.
  5. Click Save Changes to add the new server to the list.
  1. Define a user realm for the new authentication server that you added in Step 2.
    1. In the Users section, point to User Realms, and then click New User Realm.

      The New Authentication Realm page opens.

    2. On the New Authentication Realm page, enter the following information:
      • Name: Enter the name of the new realm that you are creating.

      Note: Ensure that the realm name you specify clearly describes the user community so that users can identify the realm correctly.

      • Description: Enter a description for the realm.
      • Authentication: Select the authentication server that you added in Step 2 from the list.
      • Accounting: Select None from the drop-down list.
    3. Click Save Changes to add the new realm.
  2. Define a role mapping rule for the realm that you created in Step 3.
    1. In the Users section, point to User Realms, point to the realm created in Step 3, and then click Role Mapping.

      The Role Mapping Rule page opens.

    2. Click New Rule.

      The new Role Mapping Rule page opens.

    3. On the Role Mapping Rule page, enter the following information:
      • Rule based on: Select Username from the drop-down list.
      • Name: Enter the name of the new rule that you are creating.
      • Rule: If username: Select is from the drop-down list and enter * in the text box, which indicates that rule will be applied to all users.
      • To assign this rule to a role, select the role in the Available Roles list and click the Add button to add the selected role to the Selected Roles list. For example, add Users role to the Selected Roles list.
    4. Click Save Changes to add the new role mapping rule.
  3. Change the user's network connect client type.
    1. In the Users section, point to User Roles, and then click Users (the role selected in substep c in the preceding step ).

      The Users role page opens.

    2. Under Network Connect, select the Network Connect option.
    3. Click Save Changes to change the network connect client type.
  4. Upload custom sign-in pages.
    1. In the Authentication section, point to Signing In, and then click Sign-in Pages.

      The Signing In page opens.

    2. Click Upload Custom Pages.

      The Upload Custom Sign-In Pages screen opens.

    3. In the right pane, under the Sample Template Files section, click Sample to download the Sample.zip file.
    4. Extract the contents of the sample.zip file.
    5. Locate the LoginPage.thtml file shipped with the sample application, and open it in a text editor.
    6. Locate the JavaScript function deletepreauth() and include the following code before the ending script tag (/script): 
      function delegateAuthentication(){
var toberemoved = document.getElementsByTagName("input");
var loginAction = document.frmLogin.action;
var browserUrl = window.location;
for (var i=0; i < toberemoved.length; i++) {
var name = toberemoved[i].getAttribute("name");
if (name == "username") {
var parentNode = toberemoved[i].parentNode;
parentNode.removeChild(toberemoved[i]);
}
}
document.getElementById("posturl").value = loginAction;
document.getElementById("browserurl").value = browserUrl;
document.frmLogin.action =
"https://host_name:port/arcotafm/master.jsp?profile=arcotidrisk";
document.frmLogin.submit();
}

      Note: In the preceding code, replace hostname and port with the host name and port of the server hosting Authentication Flow Manager (arcotafm). In addition, arcotidrisk represents the AFM profile created by using the Wizard and supports SSL VPN integration.

    7. Replace the code within the <form> and </form> tags with the following code:

      Note: In the following code, replace the form’s action parameter with the complete URL of the login.cgi file hosted on the Juniper SSL VPN appliance. Contact Juniper SSL VPN administrator to get the complete URL assigned to the login.cgi page.

      <form name="frmLogin" action=login.cgi method="POST" autocomplete=off
onsubmit="return Login(<% setcookies %>)">
<input type="hidden" name="tz_offset">
<input type="hidden" name="vpn" value="true">
<input type="hidden" name="type" value="juniper_lite">
<input id="posturl" type="hidden" name="posturl" value="">
<input id="browserurl" type="hidden" name="browserurl" value="">
<input id="errormessage" type="hidden" name="errormessage" value="<% LoginPageErrorMessage %>">
<table border="0" cellpadding="2" cellspacing="0">
<tr>
<td nowrap colspan="3"><b><% welcome FILTER verbatim %></b></td>
</tr>
<tr>
<td nowrap colspan="3"><span class="cssLarge"><b><% portal FILTER
verbatim %></b></span></td></tr>
<tr>
<td colspan="3">&nbsp;</td>
</tr>
<% IF LoginPageErrorMessage %>
<tr>
<td colspan=3>
<table cellpadding=1 bgcolor=#cccc99><tr>[assign the value for TD in your book]
<table cellpadding=2 bgcolor=#FFFFCC><tr>[assign the value for TD in your book]
<% LoginPageErrorMessage %>
</td></tr></table>
</td></tr></table>
</td>
</tr>
<% END %>
<tr>
<td valign="top">
<table border="0" cellspacing="0" cellpadding="2">
<%IF !AnonymousAuthentication && !CertificateAuthentication &&
!SAMLAuthentication%>
<% FOREACH prompt = prompts %>
<%NEXT IF !prompt.required %>
<% END %>
<tr>

<% IF RealmList.size == 0 %>
[assign the value for TD in your book]<% realm %></td>[assign the value for TD in your book]&nbsp;</td>[assign the value for TD in your book]
<input type="text" name="realm" value="" size="20">
</td>
<% ELSIF RealmList.size == 1 %>
<input type="hidden" name="realm" value="<% RealmList.0 %>">
<script type="text/javascript">
delegateAuthentication();
</script>
<% ELSE %>
[assign the value for TD in your book]<% realm %></td>[assign the value for TD in your book]&nbsp;</td>[assign the value for TD in your book]
<select size="1" name="realm">
<% FOREACH r = RealmList %>
<option value="<% r %>" ><% r %></option>
<% END %>
</select>
</td>
<% END %>
</tr>
<%ELSE%>
<tr>
<input type="hidden" name="realm" value="<% RealmList.0 %>">
<script type="text/javascript">
delegateAuthentication();
</script>
</tr>
<%END%>
<tr>
<td colspan="3">&nbsp;</td>
</tr>
<tr>
[assign the value for TD in your book]&nbsp;</td>
[assign the value for TD in your book]&nbsp;</td>
[assign the value for TD in your book]<input type="button" value="Continue" name="btnSubmit"
onclick="javascript: delegateAuthentication()">&nbsp;
<% IF help_on %>
<input type='submit' name='help' value="<% help %>"
onclick='window.open("welcome.cgi?p=help", "wndHelp",
"height=400,width=500,resizeable=yes,scrollbars=yes"); return false;'>
<% END %>
</td>
</tr>
<% IF admin %>
<tr>
<td colspan="3">&nbsp;</td>

</tr>
<tr>
<td colspan="3" align="center">
<table border="0" cellspacing="0" cellpadding="1" width="220">
<tr>
<td width="220" bgcolor="#CCCC99">
<table border="0" cellpadding="2" cellspacing="0" width="220">
<tr>
<td bgcolor="#FFFFCC">Note: This is the <br><b>Administrator Sign-In
Page</b>.
<br><br>If you don't want to sign in as an Administrator, return to the
<a href="<% enduserSigninURL %>">standard Sign-In Page</a>.
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
<% END %>
</table>
</td>
<td valign="top">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</td>
<td valign="top"><TABLE border="0" cellspacing="0" cellpadding="2">
<tr>[assign the value for TD in your book]Please select a Realm and continue</tr></td></table></td>
</tr>
</table> </form>
    8. Save and close the LoginPage.thtml file.
    9. Update the LoginPage.thtml file in Sample.zip with the LoginPage.thtml file that you edited in the preceding step.
    10. On the Upload Custom Sign-In Pages screen, enter the name (for example, Adapter Sign-in Page) that you will use to reference the custom sign-in pages in the Name field.
    11. In the Templates File field, click Browse to navigate to the location of custom templates (updated Sample.zip, see step i above).
    12. Click Upload Custom Pages to use the sign-in page provided by CA.

      The "Successfully created new Custom Sign-In page." message opens.

  5. Define a user URL that would be used for authentication.
    1. In the Authentication section, point to Signing In, and then click Sign-in Policies.

      The Signing In page opens.

    2. Click New URL.

      The New Sign-in Policy page opens.

    3. On the New Sign-in Policy page, specify the following information:
      • User type: Select Users.
      • Sign-in URL: Specify the URL that will be used to access the custom login page that you created. For example, specify the afmlogin URL.
      • Sign-in page: Select the Sign-in page that you created (AFM Sign-in Page).
    4. In the Authentication realm section, specify the following:
      • Select User picks from a list of authentication realms to allow the user to select the realm to log in.
      • Select the realm that you created in the Available realms list and click Add to add the selected realm to the Selected realms list.
    5. Click Save Changes to save the changes you made.