digipass key series and smart card series for juniper ssl vpn
TRANSCRIPT
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 1 of 31
DIGIPASS KEY series and smart
card series for Juniper SSL VPN Authentication
Certificate Based
Integration Guideline
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 2 of 31
Disclaimer Disclaimer of Warranties and Limitations of Liabilities
This Report is provided on an 'as is' basis, without any other warranties, or conditions.
No part of this publication may be reproduced, stored in a retrieval system, or
transmitted, in any form or by any means, electronic, mechanical, photocopying,
recording, or otherwise, without the prior written permission of VASCO Data Security.
Trademarks
DIGIPASS & VACMAN are registered trademarks of VASCO Data Security. All
trademarks or trade names are the property of their respective owners. VASCO
reserves the right to make changes to specifications at any time and without notice.
The information furnished by VASCO in this document is believed to be accurate and
reliable. However, VASCO may not be held liable for its use, nor for infringement of
patents or other rights of third parties resulting from its use.
Copyright
2011 VASCO Data Security. All rights reserved.
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 3 of 31
Table of Contents 1 Overview ................................................................................................... 4
2 Problem Description .................................................................................. 4
3 Solution .................................................................................................... 4
4 Technical Concept ..................................................................................... 5
4.1 General overview .................................................................................. 5
4.2 Procedure ............................................................................................. 5
4.3 Prerequisites ......................................................................................... 5
5 Setting up DIGIPASS Juniper Logon.......................................................... 5
5.1 Certificate Authority ............................................................................... 5
5.1.1 Issue the right type of certificates ..................................................... 5
5.1.2 Security groups for enrollment station and agents ............................... 6
5.1.3 Specifying the Enrollment Policy ........................................................ 9
5.2 Enrollment Station ................................................................................11
6 Enrolling Users ........................................................................................ 18
6.1 Requesting certificates ..........................................................................18
7 Download CA Certificate.......................................................................... 21
8 Juniper Configuration ............................................................................. 23
8.1 Import Trusted Client CAs .....................................................................23
8.2 Create an Certificate Server ...................................................................26
8.3 User Realms ........................................................................................27
9 Using the DIGIPASS KEY 200 .................................................................. 28
9.1 Logon using the DIGIPASS KEY 200 ........................................................28
10 About VASCO Data Security .................................................................. 31
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 4 of 31
1 Overview The Purpose of this document is to demonstrate how to secure your Juniper SSL VPN
login with he DIGIPASS KEY 200. This device let’s you add a certificate and be able to
logon with the right user credentials.
2 Problem Description Today’s business is built around information applications. To ensure business
workflow, productivity and enhancing client relationships, internal network resources
are increasingly been made accessible from anywhere. The weakest link in any
security infrastructure is the use of static passwords. These passwords are easily
stolen, guessed, reused or shared. There is a need for strong user authentication,
based on 2-factors: something you have and something you know.
3 Solution By creating an extra profile in your organization, the Enrollment Agent, It will be
possible to rollout certificates on the DIGIPASS KEY 200 for every user. With the
DIGIPASS KEY 200 it is possible to login to Juniper SSL VPN. This way you create a
safe and easy manageable environment for you and all your users.
Figure 1: DIGIPASS KEY 200
There is also the possibility to use a simple smart Card, allowing as well the rollout of
certificates on the Digipass smart Card. Digipass 905 is VASCO’s smart card reader.
The procedure for configuring the certificates on the card , is identical to the KEY 200
configuration.
Figure 2 : DIGIPASS SMART CARD & DIGIPASS 905
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 5 of 31
4 Technical Concept 4.1 General overview
The basic working of the Juniper SA is based on authentication to an existing media
(Certificate Authentication, LDAP, RADIUS, local authentication …). To use the
IDENTIKEY with Juniper SA, the external authentication settings need to be changed
or added manually.
After configuring the Juniper SA SSL VPN and insert the user certificate to the
DIGIPASS KEY 200 in the right way, you eliminate the weakest link in any security
infrastructure – the use of static passwords – that are easily stolen guessed, reused or
shared.
The DIGIPASS KEY 200 functionality provides document signing; strong authentication
against PKI enables software systems (operating systems, virtual private networks,
applications); as well as e-mail, file and disk encryption.
4.2 Procedure
To make the DIGIPASS KEY 200 work with the login in Juniper SSL VPN, there are a
few steps that need to be taken. First of all you have to setup a Certificate Authority.
This will be the issuer for the certificate used on the DIGIPASSKEY 200. Next we will
make sure all the correct user rights are set. We will make a new group that will be
responsible for issuing certificates. This will become a powerful group as they can
generate certificates for all domain users, including administrators. Add as last we
have to enroll the users to the DIGIPASS KEY 200 and login to Juniper SSL VPN.
4.3 Prerequisites
The initial prerequisites for setting up DIGIPASS Juniper SSL VPN are:
Active Directory installed on a Windows 2000 or 2003 domain server
A Microsoft Certificate Authority (CA) configured with the Enterprise policy
module. This may be a root or subordinate CA.
Juniper SSL VPN SA appliance
5 Setting up DIGIPASS Juniper Logon
5.1 Certificate Authority
5.1.1 Issue the right type of certificates
Start the Certification Authority Microsoft Management Console (MMC), located in the
Administrative Tools folder on the Enterprise CA.
Open the Certificate Templates (2003) or Policy Settings (2000) folder, and right-
click on this folder. Select New -> Certificate Template to Issue.
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 6 of 31
Figure 3: Issue the right type of certificates (1)
Select, by holding the CTRL key, The following Items and click OK:
Enrollment Agent
Smartcard User
Figure 4: Issue the right type of certificates (2)
5.1.2 Security groups for enrollment station and agents
Open the Active Directory – Users and Computers from the Administrative Tools folder
on the Domain Controller.
Right-click the User folder and select New -> Group.
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 7 of 31
Figure 5: Security groups for enrollment station and agents (1)
Fill in a relevant group name (e.g. Enrollment_Group) and click OK.
Figure 6: Security groups for enrollment station and agents (2)
Now add users to this group that will be able to make certificates for the DIGIPASS
KEY 200.
Caution: Please be aware that these users will become powerful users as they can
create a certificate for any user in your domain, include administrators.
Right-click the group you just created and select properties.
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 8 of 31
Figure7: Security groups for enrollment station and agents (3)
At the members tab, choose the Add… button.
Figure 8: Security groups for enrollment station and agents (4)
Select the user you want to add to the group. (E.g. Enrollment Agent)
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 9 of 31
Figure 9: Security groups for enrollment stations and agents (5)
As you can see below, a computer can also be an Enrollment Agent. You then have to
take care of the physical access to this computer.
Click OK to finish
Figure 10: Security groups for enrollment station and agents (6)
5.1.3 Specifying the Enrollment Policy
Certificates issued by the CA are based on certificate templates stored in the Active
Directory. The Access Control Lists (ACL) set on these templates determine who (user
and computer) can request what (certificates).
Open the Active Directory – Sites and Services MMC from the Administration Tools
folder on the Domain Controller. If the Service folder is not visible, choose View ->
Show Service Node.
Open Services -> Public Key Services -> Certificate Templates, right click the
Enrollment Agent and select Properties.
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 10 of 31
Figure 11: Specifying the Enrollment Policy (1)
By clicking the Add… button, add the enrollment group you created before.
Figure 12: Specifying the Enrollment Policy (2)
Once added, give this group read and enroll permissions. Click OK to finish
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 11 of 31
Figure 13: Specifying the Enrollment Policy (3)
Now do the same steps for the Smartcard User template.
5.2 Enrollment Station
To setup your enrollment station you need to install the DIGIPASS KEY 200
Middleware – DIGIPASS CertID.
Login on the Enrollment Station (from any domain computer) with the Enrollment
Agent user. Click the Start -> Run… -> “mmc”.
Choose File -> Add/Remove Snap-in.
Figure 14: Enrollment station (1)
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 12 of 31
Click the Add… button.
Figure 15: Enrollment Station (2)
Select Certificates and click the Add button.
Figure 16: Enrollment Station (3)
Choose My user account and press Finish.
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 13 of 31
Figure 17: Enrollment Station (4)
Afterwards click the Close button of the Add Standalone Snap-in window.
Click OK to go to the main console window.
Figure 18: Enrollment Station (5)
At the main console window, right-click the Personal folder and select All Tasks ->
Request New Certificate…
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 14 of 31
Figure 19: Enrollment Station (6)
Click Next in the first window of the Certificate Request Wizard.
Figure 20: Enrollment Station (7)
Choose the Enrollment Agent certificate, check the Advanced checkbox and click
Next.
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 15 of 31
Figure 21: Enrollment Station (8)
Choose the Microsoft Enhanced Cryptographic Provide and a key length of 1024
bit. Click Next.
Figure 22: Enrollment Station (9)
Verify the settings and click Next.
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 16 of 31
Figure 23: Enrollment Station (10)
Type in a Friendly name and type a meaningful description. Click Next.
Figure 24: Enrollment Station (11)
Review all the settings and click Finish if everything is OK.
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 17 of 31
Figure 25: Enrollment Station (12)
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 18 of 31
6 Enrolling Users For enrollment of users, you have the choose Smartcard user.
6.1 Requesting certificates
Open your browser and go to: http://CA-Server/certsrv. (Where CA-Server is the
name of the machine where your CA is installed)
Click Request a certificate.
Figure 26: Requesting certificates (1)
Click the Advanced certificate request link.
Figure 27: Requesting certificates (2)
Click the request a certificate for a smart card on behalf of another user by
using the smart card certificate enrollment station link.
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 19 of 31
Figure 28: Requesting certificates (3)
Select the right Certificate Template, CA and Cryptographic Service Provider
(the VASCO CertID Smart Card Cypto Provider V1.0 CSP in this case).
If you are logged in as the Enrollment Agent, the right Administrator Signing
Certificate should be selected by default. Otherwise you click the Select
Certificate… button.
In the User to Enroll field, you can select the user you want to create a certificate
for. Click the Select User… button and a known wizard will start.
Figure 29: Requesting certificates (4)
Search the user you want to create a certificate for and click OK.
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 20 of 31
Figure 30: Requesting certificates (5)
Now make sure your DIGIPASS KEY 200 is plugged in the USB port, and then
press the Enroll button.
Figure 31: Requesting certificates (6)
You will be asked for the pin of the DIGIPASS KEY 200 and press OK to continue.
This can take a while. Do not navigate away from this page as long as the process is
busy.
Figure 32: Requesting certificates (7)
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 21 of 31
When the certificate is saved on the DIGIPASS KEY 200, you will get a message in the
window stating “The smartcard is ready…”. You now have the possibility to view the
recently created certificate. To do so, press the View Certificate button.
Figure 33: Requesting certificates (8)
7 Download CA Certificate To use the web site to download a certificate authority (CA) certificate, click on
Download a CA certificate certificate chain or CRL link.
Figure 34: Download CA certificate (1)
Click on Download CA certificate link.
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 22 of 31
Figure 35: Download CA certificate (2)
Save the CA certificate to you local drive. (The CA certificate will use later to import to
Juniper SSL VPN.)
Figure 36: Download CA certificate (3)
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 23 of 31
8 Juniper Configuration 8.1 Import Trusted Client CAs
Login to the Juniper SSL VPN administrator console, click on Configuration ->
Certificates -> Trusted Client CAs.
Figure 37: Juniper SSL VPN configuration (1)
Click on Import CA Certificate…
Figure 38: Juniper SSL VPN configuration (2)
Click on Browse~ button.
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 24 of 31
Figure 39: Juniper SSL VPN configuration (3)
Choose the certificate which exported early (refer to page 21).
Figure 40: Juniper SSL VPN configuration (4)
Click on Import Certificate button.
Figure 41: Juniper SSL VPN configuration (5)
Scroll down and leave default setting.
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 25 of 31
Figure 42: Juniper SSL VPN configuration (6)
Click on Save Changes.
Figure 43: Juniper SSL VPN configuration (7)
Figure 44: Juniper SSL VPN configuration (8)
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 26 of 31
8.2 Create an Certificate Server
To create a Certificate Server, click on Auth. Server. In the drop down list of New:,
choose Certificate Server.
Figure 45: Juniper SSL VPN configuration (9)
Name your Certificate Server.
Figure 46: Juniper SSL VPN configuration (10)
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 27 of 31
8.3 User Realms
To link the Certificate Server to the User Realms, click on User Realms and click on
your Realms.
Figure 47: Juniper SSL VPN configuration (11)
In the Authentication, select the Certificate Server.
Figure 48: Juniper SSL VPN configuration (12)
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 28 of 31
9 Using the DIGIPASS KEY 200 9.1 Logon using the DIGIPASS KEY 200
Make sure the DIGIPASS CertID is installed on the client pc. Open an Internet Explore
and enter the Juniper SSL VPN Web Portal URL.
Figure 49: Using the DIGIPASS (1)
A Security Alert will prompt. Click on Yes to accept the SSL certificate.
Figure 50: Using the DIGIPASS (2)
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 29 of 31
Select your certificate and click Ok.
Figure 51: Using the DIGIPASS (3)
Enter your PIN to unlock the DIGIPASS KEY 200.
Figure 52: Using the DIGIPASS (4)
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 30 of 31
After the Certificate authentication, you be able to login to your Juniper SSL VPN
Portal.
Figure 53: Using the DIGIPASS (5)
Integration Guide – DIGIPASS KEY 200 Juniper SSL VPN Authentication 2010 VASCO Data Security. All rights reserved. Page 31 of 31
10 About VASCO Data Security VASCO designs, develops, markets and supports patented Strong User Authentication products for e-Business and e-Commerce.
VASCO’s User Authentication software is carried by the end user on its DIGIPASS products which are small “calculator” hardware devices, or in a
software format on mobile phones, other portable devices, and PC’s.
At the server side, VASCO’s VACMAN products guarantee that only the designated DIGIPASS user gets access to the application.
VASCO’s target markets are the applications and their several hundred million users that utilize fixed password as security.
VASCO’s time-based system generates a “one-time” password that changes with every use, and is virtually impossible to hack or break.
VASCO designs, develops, markets and supports patented user authentication products for the financial world, remote access, e-business and e-commerce. VASCO’s user authentication software is delivered via its DIGIPASS hardware
and software security products. With over 25 million DIGIPASS products sold and delivered, VASCO has established itself as a world-leader for strong User
Authentication with over 500 international financial institutions and almost 3000 blue-chip corporations and governments located in more than 100 countries.