we plane to use RSA OnDemand Token (SMS Token) for Juniper login, additionaly to the existing RSA Hardware Token.
We use the freeradius radius server and not the OSC radiator radius server between Juniper and RSA Server.
Has someone experience with this solution?
if you need i can help you to set on SA to work with RSA token, i don't know if you need this information for seeting RSA with junier SA and Radius Server
you do ;
you create authentication server
RSA choose type ACE server set ACE port loke 5500 you import configuration file "sdconf.rec" and after that you create New authentuication realm
and then you choos your first server example Radius or LDAP and addtional server RSA server
please let me know
Tokenauthentication with Juniper SA to a radius proxy ("free radius" radius server) or direct securid to RSA Server works fine, but only for Hardware Tokens and SorftwareToken.
For RSA OnDemand Token (SMS Token with RSA 7.1) both solutions are not working.
Has someone a working solution, to use RSA OnDemand Token Authentication over Juniper?
Thank you for help,
Thomas, I have never integrated this specifc product. However most of these OTP solutions can be integrated by leveraging the support built into the SA to handle Radius access-challenge packets.
At a very high level:
1. User enters regular credentials.
2. SA sends Radius Access Request with these credentials to radius server
3. Radius server validates the credentials and sends Access Challenge to SA
4. SA presents another page to user
5. User types the OTP/sms based password/string/etc
6. SA sends this back to Radius and allows/denies login based on what the Radius server sends (accept/reject)
In terms of config this translates to:
1. Configure a Radius server as usual
2. Then under custom radius rules click on New Radius Rule
3. On the next UI
Just wondering if you got this to work. I am trying to do the same thing. If so, can you outline what you did both on the Juniper and RSA to make this work?
Thanks for the print screens. Unfortunately I already have this setup on my appliance. I'm suspecting the problem might be from the RSA side of things, unless there's further tests I can do through Juniper.
Just to add to this now, I have made a bit more progress. I now have RSA Self Service running and I can have the user request a token code through the self service page. Then this token code combined with a PIN number allows them to authenticate through Juniper.
My question is how can I bring this token code request out to the Juniper so the user doesn't have to log on to RSA self service to request the token?
Did anyone get further with this ?
My perfect solution is:
1. User logins to Juniper with AD User/pass.
2. RSA AM sends OnDemand tokencode via SMS +/or Email.
3. User enters PIN + Tokencode.
4. User is passed through and granted access based on AD role groups.
Can anyone help ?