I am wondering any Juniper SA/MAG VPN solutions to allow remote workstation in public space such as kiosks to establish VPN connectivity without userid login prompt?
Thanks in advance!
Solved! Go to Solution.
you can use Smartcard, or similar solution, combined with the Cert Authentication of the Juniper for seamless login. For additional verification you can use the HostChecker to verify the device certificate.
If you own the device in the Kiosk then as Chris said you can use certificate based authentication. If you use the Pulse client with an appropriate location awareness condition then you can have it automatically connect when it boots so it would require no user interaction.
If you have control of the machines, machine authentication with certificates if your best bet as previously indicated.
If you do not, your option is limited to anonymous authenticationÉwhich allows anyone in if they know the URL (read: not secured by anything other than SSL). You can add source IP restrictions if the connection is a static known, good value; but it is hard to have any security on an anonymous connection.
With both the Network Connect and Pulse client, there is a CLI that you might be able to use for a scripted login. Use with caution however as there could be a risk of password exposure.
Thanks everyone's reply and valuable advises, much appreciated!
If I use two-factor authentication with user/computer certificate as 1st authentication and LDAP as secondary authetication, the LDAP authentication will request the userid and password to be provided and this will cause the login prompt. Are there any ways to suppress the login prompt? If I use Radius service for the LADP authentication instead of connecting to LDAP server directly from SA/MAG gateway, will that be working as the expected?
Thank you for confirming how you are connecting.
No, there is no way to avoid the username and password prompt when using this type of authentcation. The only option that can be done without user interaction is certificate.
What is the purpose of the secondary LDAP authentication?
If for example you are just looking to check group membership for role mapping you don't actually need to authenticate to the LDAP. All you need if for the user ID in the certificate to match that LDAP user ID and set the Directory/Attribute server to be the LDAP server.
Thanks the replies from zanyterp and dcvers.
I am thinking using device cert which doesn't include attributes such as userid info integrated into the cert and that's why want to use 2nd factor (LDAP or something else). If login prompt cannot be automated I might have to find out other options.