Skip to main content

Juniper RADIUS integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only you know or have access to.

Remote Authentication Dial-In User Service (RADIUS) is a protocol commonly used to authenticate, authorize, and account for user access and actions.

Arculix by SecureAuth offers a simple solution for adding MFA to Juniper VPN via its RADIUS solution. This step-by-step integration guide illustrates how to configure Juniper VPN and Arculix RADIUS MFA authentication solution.

Prerequisites

  • Arculix RADIUS Agent that is configured and connected to your user directory. For example, Microsoft Active Directory (AD).

    For more information, see the Arculix RADIUS Agent deployment guide.

  • User account with administrative privileges for the vSRX device.

Arculix RADIUS Agent configuration

To integrate Arculix with your Juniper Firewall, you will need to install an Arculix RADIUS Agent on a machine within your network. This server will receive RADIUS requests from your Juniper Firewall, check with LDAP server to perform primary authentication, and then contact Arculix cloud service for secondary authentication.

Follow these steps to configure the Arculix RADIUS Agent.

  1. Log in to the Arculix RADIUS Agent as an administrator.

  2. Open the radius-agent-config.env file with an editor.

    The file is located in the installed directory of RADIUS Agent. RADIUS clients are configured in this setting.

    Acceptto RADIUS agent
  3. At the end of the radius-agent-config.env file, set the following configuration for the ARA_CLIENTS attribute:

    Note

    The values should be separated by semicolons (;).

    ARA_CLIENTS = <An optional name for your Juniper>; <Internal IP address of your Juniper>; <a shared secret>

    For example, set:

    ARA_CLIENTS = Juniper;192.168.10.10/32;testing12345
    ARA_CLIENTS configuration
  4. Save the file.

  5. Run the following command to apply the changes:

    docker-compose down && docker-compose up -d

Juniper vSRX device configuration

  1. Log in to your Juniper device with an administrative user account and change the mode to Configuration Mode.

    Note

    All of the subsequent steps in this guide assume that you will remain in Configuration Mode.

  2. Create an IP address pool for your VPN clients:

    set access address-assignment pool vpn-pool family inet network <addresses for your VPN clients> xauth-attributes primary-dns <the IP address of the DNS server>
  3. Create an access profile for the RADIUS Agent by entering the following commands.

    set access profile arculix-radius authentication-order radius
    set access profile arculix-radius address-assignment pool vpn-pool
    set access profile arculix-radius radius-server <the RADIUS Agent IP address> timeout 120 retries 2 secret <the shared secret configured in the Arculix RADIUS Agent>
    Commit

    Note

    The timeout is extended to give users enough time to authenticate the push notification. You can reduce this timeout based on user feedback.

    The number of retries by default is 2, but you can remove it if you do not wish to give the user multiple authentication attempts.

  4. Create an IKE proposal configuration by entering the following commands. You may need to customize this configuration depending on your security policy; this example is just the basic setup.

    set security ike proposal ike-proposal1 authentication pre-shared-keys
    set security ike proposal ike-proposal1 dh-group group20
    set security ike proposal ike-proposal1 authentication-algorithm sha-384
    set security ike proposal ike-proposal1 encryption-algorithm aes-256-cbc
    set security ike proposal ike-proposal1 lifetime-seconds 86400
    Commit
  5. Create a policy that uses the proposal above and authenticates the client using a pre-shared key:

    set security ike policy ike-policy1 mode aggressive
    set security ike policy ike-policy1 proposals ike-proposal1
    set security ike policy ike-policy1 pre-shared-key ascii-text <the preshared key for your clients>
    Commit
  6. Create a gateway to terminate the VPN connections.

    Note

    The user-at-hostname and connections-limit are dependent on your environment and your Juniper license, respectively.

    set security ike gateway gateway1 ike-policy ike-policy1
    set security ike gateway gateway1 dynamic user-at-hostname <user@junipervpn.example.com>
    set security ike gateway gateway1 dynamic connections-limit <X>
    set security ike gateway gateway1 external-interface <interfaceX>
    set security ike gateway gateway1 version v1-only
    Commit
  7. Create a tunnel interface that is going to handle the traffic between the external and internal zones.

    set interfaces st0 unit 0 family inet
    Commit
  8. Create an IPSEC proposal for VPN clients.

    set security ipsec proposal ipsec-proposal1 protocol esp
    set security ipsec proposal ipsec-proposal1 authentication-algorithm hmac-sha-256-128
    set security ipsec proposal ipsec-proposal1 encryption-algorithm aes-256-cbc
    set security ipsec proposal ipsec-proposal1 lifetime-seconds 32400
    Commit
  9. Create an IPSEC policy for the VPN clients.

    set security ipsec policy ipsec-policy perfect-forward-secrecy keys group20
    set security ipsec policy ipsec-policy proposals ipsec-proposal1
    commit
  10. Create the VPN. Bind the interfaces and policy, and associated traffic selectors.

    set security ipsec vpn remote-vpn1 bind-interface st0.0
    set security ipsec vpn remote-vpn1 ike gateway gateway1
    set security ipsec vpn remote-vpn1 ipsec-policy ipsec-policy
    set security ipsec vpn remote-vpn1 traffic-selector ts1 local-ip 10.0.0.0/24
    set security ipsec vpn remote-vpn1 traffic-selector ts1 remote-ip 0.0.0.0/0

NCP VPN client configuration

  1. Open the NCP user interface and select the Configuration tab. Click Profiles.

    juniper_config_profiles.png
  2. The profile configuration menu appears. Click Add.

    juniper_add_profile.png
  3. In the new profile wizard window, select Manually configure profile and click Next.

    juniper_manually_config_profile.png
  4. Enter a friendly name for the new VPN client configuration in the Profile Name field and select Next.

    juniper_profile_name.png
  5. Select the media over which the VPN is going to be connected. In this example, we are using LAN. Then, select Next.

    juniper_connection_media.png
  6. Select the usage of certificates to authenticate the client. Certificates are recommended. Select Next.

    juniper_certificate_usage.png
  7. Configure the VPN gateway and then select Next.

    juniper_vpn_gateway.png
  8. Select the Diffie-Hellman (DH) group to use. This group must match the DH group configured in the vSRX device. Select Next.

    juniper_pfs_group.png
  9. Select the user identity that identifies the tunnel to the device. In this example, we are using user@domain. It must match the configuration from step 8 of “Configure the Juniper vSRX device.” Click Finish.

    juniper_ike_config.png
  10. When the profile configuration menu appears, select Edit > IPSEC General Settings. Review the settings and ensure they exactly match the configuration on the vSRX device.

    juniper_ipsec_settings.png
  11. Optionally, you may select Policy Editor and create IKE and IPSEC policies that match the configuration in the vSRX device.

    juniper_ipsec_policy_editor.png
  12. Edit the IKE policy by providing a valid name and setting the authentication method for the tunnel, encryption, and hashing algorithms to match the tunnel IKE configuration. Then select OK.

    juniper_edit_ike.png
  13. Edit the IPSEC policy. Provide a friendly name and select the Protocol, Encryption, and Authentication algorithms that match the tunnel IPSEC configuration. Then select OK.

    juniper_edit_ipsec.png

Test your application integration

  1. Open the newly configured NCP VPN client and select the sliding control to connect to the Internet.

    juniper_vpn_client.png
  2. The VPN client prompts the user for authentication. The user must input a valid Active Directory username and password.

    juniper_vpn_credentials.png
  3. The VPN client sends the credentials to the vSRX device, and the vSRX authenticates the user to RADIUS. If the user’s credentials are correct, the user is prompted to approve the authentication by the Arculix Mobile application, and is then logged in.

    arculix_mobile_app_010.png
  4. What to look for if the connection is unsuccessful:

    1. If login fails, displaying the message “PAP/CHAP error Wrong User ID or password (VPN)”: The user has most likely mistyped their password or has not acknowledged the push notification from the Arculix Mobile application.

    2. If the message “VPN error RECV-MSG2-AGGR-PSK -&gt; invalid preshared key,” is displayed: Go to Configuration, select Profiles, edit the profile in use, select Identities and check the pre-shared configuration by re-typing the pre-shared key.

    3. If the message “VPN error Could not resolve VPN gateway name (DNS),” is displayed: Ensure that your DNS server can resolve the host you are trying to contact. For example, use the ping command.

    4. If the message “VPN error Connection to VPN gateway failed. Please check your internet connection,” is displayed: Verify if the security zone or any in-between firewall is blocking IPSEC connections.

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.