hello

if you need i can help you to set on SA to work with RSA token, i don't know if you need this information for seeting RSA with junier SA and Radius Server

you do ;

you create authentication server

RSA choose type ACE server set ACE port loke 5500 you import configuration file "sdconf.rec" and after that you create New authentuication realm

and then you choos your first server example Radius or LDAP and addtional server RSA server

please let me know

thanks

Hello,

Tokenauthentication with Juniper SA to a radius proxy ("free radius" radius server) or direct securid to RSA Server works fine, but only for Hardware Tokens and SorftwareToken.

For RSA OnDemand Token (SMS Token with RSA 7.1) both solutions are not working.

Has someone a working solution, to use RSA OnDemand Token Authentication over Juniper?

Thank you for help,

br Thomas

Thomas, I have never integrated this specifc product. However most of these OTP solutions can be integrated by leveraging the support built into the SA to handle Radius access-challenge packets.

At a very high level:

1. User enters regular credentials.

2. SA sends Radius Access Request with these credentials to radius server

3. Radius server validates the credentials and sends Access Challenge to SA

4. SA presents another page to user

5. User types the OTP/sms based password/string/etc

6. SA sends this back to Radius and allows/denies login based on what the Radius server sends (accept/reject)

In terms of config this translates to:

1. Configure a Radius server as usual

2. Then under custom radius rules click on New Radius Rule

3. On the next UI

• Select Access-Challenge
• Under attribute criteria select "Reply-Message"
• Under value add a regex that matches the value returned by Radius Server in Access Challenge packet (this is the tricky bit)
• Select 'show generic login' page

Hi

Just wondering if you got this to work. I am trying to do the same thing. If so, can you outline what you did both on the Juniper and RSA to make this work?

Thanks

Hi

Thanks for the print screens. Unfortunately I already have this setup on my appliance. I'm suspecting the problem might be from the RSA side of things, unless there's further tests I can do through Juniper.

Just to add to this now, I have made a bit more progress. I now have RSA Self Service running and I can have the user request a token code through the self service page. Then this token code combined with a PIN number allows them to authenticate through Juniper.

My question is how can I bring this token code request out to the Juniper so the user doesn't have to log on to RSA self service to request the token?

Thanks

Did anyone get further with this ?

My perfect solution is:

1. User logins to Juniper with AD User/pass.

2. RSA AM sends OnDemand tokencode via SMS +/or Email.

3. User enters PIN + Tokencode.

4. User is passed through and granted access based on AD role groups.

Can anyone help ?

I am stuck on this issue as well. Anyone?