cancel
Showing results for 
Search instead for 
Did you mean: 

Access Challenge Page not prompting for 2FA authentication

Highlighted
Not applicable

Access Challenge Page not prompting for 2FA authentication

Hi, I setup SSL/VPN MAG6610 + SendQuick Conexa for 2FA authentication. In MAG6610 I configured the radius server pointing to sendQuick and configure the realms to use sendquick as the authentication server. The problem is when I tried to login using my AD ccount, there is no access challenge page appears when I login, but i received the sms for the OTP until the login error says "username/password was invalid". I tried to login to the old system and seems no issue with my credentials. this is an upgrade from SA4000 series to MAG6610 with the same system configurations inside... from the user logs in Juniper sslvpn, it says that the sendquick was unreacheble.. I've check the connections between the two boxes but seems no issues, there is no firewall policy that blocks the traffic between them. Is there any special configuration for 2FA in MAG6610? I could not see any documents configuring MAG6610 using 2FA with sendquick. I just use the reference guide to configure SA series with sendquick. Please advice.

Thanks

5 REPLIES 5
Highlighted
Valued Contributor

Re: Access Challenge Page not prompting for 2FA authentication

Windows Pulse supports two factor, just as it does on OSX, IOS, etc. You are most definitely not limited to certs. 





Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Highlighted
Valued Contributor

Re: Access Challenge Page not prompting for 2FA authentication

The MAG and your old SA4000 are functionally the same from a code perspective. So if it worked on the SA4000 it should most certainly work on the MAG. I'm guessing you checked all the basic stuff like making sure you can ping, the shared secret is matching on both sides, etc. 

Have you done a packet capture? 





Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Highlighted
Frequent Contributor

Re: Access Challenge Page not prompting for 2FA authentication

I am pretty sure desktop Pulse doesn't support any 2nd factor other than a cert. So if your one factor is ldap then the other would need to be cert. We just raised the same question and that's the answer we got. Of course we responded that that was unacceptable but I'm sure that fell on deaf ears. There are so many multi factor auth products out there and for pulse not to support them and only support certs is insane. Pulse on IOS supports other methods though.

If you find out info to the contrary please post back here.
Highlighted
Frequent Contributor

Re: Access Challenge Page not prompting for 2FA authentication

Perhaps I misspoke.  What I meant to say was Pulse Desktop does do 2 factor.  It most definitely can not do two factor with SAML as the 2nd factor.

http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB23406&actp=search&viewlocale=en_US&sear...

I had thought we were told certs were the only 2nd factor that could be used, but perhaps that is not true.

Highlighted
Frequent Contributor

Re: Access Challenge Page not prompting for 2FA authentication

I've a similar problem with SA6500 and Junos Pulse (mobile and desktop)... but via normal browser it works fine.

In my case... It doesn't show the challenge, but accept it, after user+passwd was validated with sucess.