Multi-factor authentication (MFA) is an extra layer of security used when accessing your Cisco Administrative interfaces through more than one required security and validation procedure that only you know or have access to. RADIUS is a protocol commonly used to authenticate, authorize and account for user access and actions, the Acceptto RADIUS solution adds an out of band authentication method to increase the protection applied to the attack surface associated with the VPN. This manual illustrates how to configure both a Juniper vSRX router and Acceptto using RADIUS, the same configuration can be adapted to other devices such as a switch or a firewall.
- An Acceptto Appliance connected to your user directory (for example Microsoft Active Directory).
- The user population that is going to be authenticated via RADIUS must be enrolled in the It’sMe Application.
- A user with administrative privileges for the vSRX device.
- A user with administrative privileges for the Acceptto Appliance.
- A service user with administrative privileges to create a machine account in Active Directory.
Configure the Acceptto Appliance RADIUS interface
- Login to the Acceptto appliance admin panel with an administrative account and select RADIUS.
- Activate the RADIUS Service by selecting the toggle control (it is active by default, this action is only required if you have disabled the service).
- Activate the MS-CHAPv2 protocol by selecting the toggle control (it is active by default).
- LDAP/AD host - enter the IP address or fully qualified domain name of your Active Directory Server.
- LDAP bind user - enter a user that has privileges to create a machine account in your Active Directory.
- LDAP bind password - enter the password for the user.
- LDAP Base DN - enter the distinguished name that contains the users and groups that are going to be used for MFA.
- NETBIOS domain - enter the NETBIOS domain name.
- “Assigned computer name” - enter the name of the workstation that you want created in Active Directory for example: radius1.
- “REALM” - enter the realm that is usually appended to your usernames, usually this is equal to the domain name e.g. if your domain is example.com then your realm is usually example.com.
- “Acceptto AD Group” - enter the ldap group that contains the users that can login via MFA (note that by default users outside of this group will have their access denied).
- “Pre-login message” - enter the message that your users are going to see on the It’sME mobile application.
- Select the “SAVE CHANGES” control once you have completed the configuration.
Configure the Juniper vSRX device
- Login to Juniper device with an administrative user and change to the configuration mode.
- All the subsequent steps assume that you will remain in configuration mode.
- Create an IP address pool that is going to be assigned to your VPN clients:
set access address-assignment pool vpn-pool family inet network <addresses for your VPN clients> xauth-attributes primary-dns <the IP address of the DNS server>
- Create an access profile for the RADIUS server by typing, note on the 3rd line the timeout is extended to give users enough time to authenticate the push notification, you can reduce this timeout based on user feedback. Also note that the number of retries is set to 2 but you can remove it if you do not wish to give the user multiple authentication attempts :
set access profile acceptto-radius authentication-order radius
set access profile acceptto-radius address-assignment pool vpn-pool
set access profile acceptto-radius radius-server <the applicance IP adddress> timeout 120 retries 2 secret <the shared secret configured in the Acceptto Appliance RADIUS>
- Repeat this step for each of the Acceptto Appliances in your environment.
- Create an IKE proposal configuration by typing (you may need to customize this configuration depending on your security policy, this example is just the basic setup):
set security ike proposal ike-proposal1 authentication pre-shared-keys
set security ike proposal ike-proposal1 dh-group group20
set security ike proposal ike-proposal1 authentication-algorithm sha-384
set security ike proposal ike-proposal1 encryption-algorithm aes-256-cbc
set security ike proposal ike-proposal1 lifetime-seconds 86400
- Create a policy that will use the proposal above and authenticate the client using a pre-shared key:
set security ike policy ike-policy1 mode aggressive
set security ike policy ike-policy1 proposals ike-proposal1
set security ike policy ike-policy1 pre-shared-key ascii-text <the preshared key for your clients>
- Create a gateway to terminate the VPN connections, note that the username-at-hostname and connections-limit are dependant on your environment and your Juniper license respectively:
set security ike gateway gateway1 ike-policy ike-policy1
set security ike gateway gateway1 dynamic user-at-hostname “email@example.com”
set security ike gateway gateway1 dynamic connections-limit <X>
set security ike gateway gateway1 external-interface <interfaceX>
set security ike gateway gateway1 version v1-only
- Create a tunnel interface that is going to handle the traffic between the external and internal zones:
set interfaces st0 unit 0 family inet
- Create an IPSEC proposal for the VPN clients:
set security ipsec proposal ipsec-proposal1 protocol esp
set security ipsec proposal ipsec-proposal1 authentication-algorithm hmac-sha-256-128
set security ipsec proposal ipsec-proposal1 encryption-algorithm aes-256-cbc
set security ipsec proposal ipsec-proposal1 lifetime-seconds 32400
- Create an IPSEC policy for the VPN clients:
set security ipsec policy ipsec-policy perfect-forward-secrecy keys group20
set security ipsec policy ipsec-policy proposals ipsec-proposal1
- Create the VPN, bind the interfaces and policy, and associated traffic selectors:
set security ipsec vpn remote-vpn1 bind-interface st0.0
set security ipsec vpn remote-vpn1 ike gateway gateway1
set security ipsec vpn remote-vpn1 ipsec-policy ipsec-policy
set security ipsec vpn remote-vpn1 traffic-selector ts1 local-ip 10.0.0.0/24
set security ipsec vpn remote-vpn1 traffic-selector ts1 remote-ip 0.0.0.0/0
Configure the NCP VPN client
- Open the NCP user interface and select configuration, select Profiles...:
- The profile configuration menu is presented, select Add:
- The new profile wizard is displayed, select Manually configure profile, Next > :
- Enter a friendly name for the new VPN client configuration and select Next >:
- Select the media over which the VPN is going to be connected, in this example we are using LAN, and then select Next >:
- Select the usage of certificates to authenticate the client, although this is recommended in this example we are not using certificates, select Next >:
- Configure the VPN gateway and then select Next >:
- Select the Diffie-Hellman (DH) group to use, this must match the DH group configured in the vSRX device:
- Select the user identity that identifies the tunnel to the device, in this example we are using user at domain, it must match what was configured in step#8 of “Configure the Juniper vSRX device” and select Finish:
- The profile configuration menu will appear again, select Edit, IPSEC General Settings. Review the settings and ensure they match exactly what is configured on the vSRX device:
- Optionally you may need to select the Policy Editor… and create IKE and IPSEC policies that match what is configured in the vSRX device:
- Edit the IKE policy by providing a friendly name and setting the authentication method for the tunnel, encryption and hashing algorithms to match the tunnel IKE configuration then select OK :
- Edit the IPSEC policy, provide a friendly name and select the protocol, encryption and authentication algorithms that match the tunnel IPSEC configuration and then select OK:
- The configuration is finished, proceed to Test Your Setup.
Test Your Setup
- Open the newly configured NCP VPN client client and select the sliding control to connect to the Internet.
- The VPN client will prompt the user for authentication, the user provides a valid Active Directory username and password:
- The VPN client sends the credentials to the vSRX device and the vSRX authenticates the user to RADIUS. If the user’s credentials are correct the user will be prompted to approve the authentication by the It’sME mobile application.
- The user is logged in.
- What to look for if the connection is unsuccessful:
- If the login fails with a message “PAP/CHAP error Wrong User ID or password (VPN)”, the most likely root cause is that the user has mistyped his password or he has not acknowledge the push notification from the It’sME application.
- If the message is “VPN error RECV-MSG2-AGGR-PSK -> invalid preshared key”, go to Configuration, select Profiles…, edit the profile in use, select Identities and check the pre-shared configuration by re-typing the pre-shared key.
- If the message is “VPN error Could not resolve VPN gateway name (DNS)”, ensure that the host you are trying to contact can be resolved by your DNS server for example by using the ping command.
- If the message is “VPN error Connection to VPN gateway failed. Please check your internet connection.” verify if the security zone or any in between firewall is blocking IPSEC connections.
- Contact Acceptto Support personnel in case you have any difficulties with the setup.
If you require assistance, please email us at firstname.lastname@example.org
Want to learn more about our MFA solutions? Contact our Professional Services for a Demo today.
All company, product and service names used in this document are for identification purposes only. Use of these names, trademarks, and brands does not constitute an endorsement by the Acceptto Corporation.
Juniper® is a registered trademark of Juniper Networks, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries.