cancel
Showing results for 
Search instead for 
Did you mean: 

How to use RSA OnDemand with Juniper?

Highlighted
Occasional Contributor

How to use RSA OnDemand with Juniper?

Hi,

we plane to use RSA OnDemand Token (SMS Token) for Juniper login, additionaly to the existing RSA Hardware Token.

We use the freeradius radius server and not the OSC radiator radius server between Juniper and RSA Server.

Has someone experience with this solution?

Thank you,

br Thomas

10 REPLIES 10
Highlighted
Contributor

Re: How to use RSA OnDemand with Juniper?

hello

if you need i can help you to set on SA to work with RSA token, i don't know if you need this information for seeting RSA with junier SA and Radius Server

you do ;

you create authentication server

RSA choose type ACE server set ACE port loke 5500 you import configuration file "sdconf.rec" and after that you create New authentuication realm

and then you choos your first server example Radius or LDAP and addtional server RSA server

please let me know

thanks

Highlighted
Occasional Contributor

Re: How to use RSA OnDemand with Juniper?

Hello,

Tokenauthentication with Juniper SA to a radius proxy ("free radius" radius server) or direct securid to RSA Server works fine, but only for Hardware Tokens and SorftwareToken.

For RSA OnDemand Token (SMS Token with RSA 7.1) both solutions are not working.

Has someone a working solution, to use RSA OnDemand Token Authentication over Juniper?

Thank you for help,

br Thomas

Highlighted
Regular Contributor

Re: How to use RSA OnDemand with Juniper?

Thomas, I have never integrated this specifc product. However most of these OTP solutions can be integrated by leveraging the support built into the SA to handle Radius access-challenge packets.

At a very high level:

1. User enters regular credentials.

2. SA sends Radius Access Request with these credentials to radius server

3. Radius server validates the credentials and sends Access Challenge to SA

4. SA presents another page to user

5. User types the OTP/sms based password/string/etc

6. SA sends this back to Radius and allows/denies login based on what the Radius server sends (accept/reject)

In terms of config this translates to:

1. Configure a Radius server as usual

2. Then under custom radius rules click on New Radius Rule

3. On the next UI

  • Select Access-Challenge
  • Under attribute criteria select "Reply-Message"
  • Under value add a regex that matches the value returned by Radius Server in Access Challenge packet (this is the tricky bit)
  • Select 'show generic login' page

These steps should work with any OTP solution that uses Radius access-challenge mechanism.
Highlighted
Frequent Contributor

Re: How to use RSA OnDemand with Juniper?

Hi

Just wondering if you got this to work. I am trying to do the same thing. If so, can you outline what you did both on the Juniper and RSA to make this work?

Thanks

Highlighted
Valued Contributor

Re: How to use RSA OnDemand with Juniper?

Here are a couple of screen shots that show the Juniper setup for the Radius component. This is for Quest Defender but I have done similar with RSA. Hope this helps a little.
Highlighted
Frequent Contributor

Re: How to use RSA OnDemand with Juniper?

Hi

Thanks for the print screens. Unfortunately I already have this setup on my appliance. I'm suspecting the problem might be from the RSA side of things, unless there's further tests I can do through Juniper.

Highlighted
Frequent Contributor

Re: How to use RSA OnDemand with Juniper?

Just to add to this now, I have made a bit more progress. I now have RSA Self Service running and I can have the user request a token code through the self service page. Then this token code combined with a PIN number allows them to authenticate through Juniper.

My question is how can I bring this token code request out to the Juniper so the user doesn't have to log on to RSA self service to request the token?

Thanks

Highlighted
New Contributor

Re: How to use RSA OnDemand with Juniper?

Did anyone get further with this ?

My perfect solution is:

1. User logins to Juniper with AD User/pass.

2. RSA AM sends OnDemand tokencode via SMS +/or Email.

3. User enters PIN + Tokencode.

4. User is passed through and granted access based on AD role groups.

Can anyone help ?

Highlighted
New Contributor

Re: How to use RSA OnDemand with Juniper?

I am stuck on this issue as well. Anyone?