Nexus Documentation
Nexus Documentation
Breadcrumbs

Set up Nexus OTP as 2FA for Juniper Junos Pulse

This article describes how to enable Nexus OTP in Smart ID Digital Access component as two-factor authentication method for Juniper Junos Pulse, to replace static passwords.

Nexus OTP can be either Nexus TruID Synchronized or Smart ID Mobile App OTP, or any other OATH-based mobile OTP application, such as Google Authenticator or Microsoft Authenticator. 

With the setup described in this article, Digital Access functions as a RADIUS server and Juniper Junos Pulse as a RADIUS client. Nexus TruID is used as an example below and is available for iOS, Android, and Windows. Also used as an example is Nexus Mobile Text, which works with any mobile phone and do not require a smartphone.

Network schematic for Nexus OTP authentication

Junos.png

Network schematic with Nexus TruID Synchronized as an example.


  1. The end user starts the TruID client and enters the PIN in TruID to generate an OTP.

  2. Juniper Junos Pulse request the end user to enter username, password and OTP.

  3. The end user enters username, domain password and OTP.

  4. The domain credentials are validated by the Active Directory.

  5. The OTP authentication request is relayed to Digital Access Authentication Server via RADIUS.

  6. The authentication server validates the OTP with the associated TruID token and PIN from the user database.

  7. Upon successful validation, the authentication server responds with successful authentication to Juniper Junos Pulse.

Juniper Junos Pulse provides access to the end user.


Junos_MobileText.png

Network schematic with Nexus Mobile Text as an example.


  1. Juniper Junos Pulse request the end user to enter username and password.

  2. The authentication request is relayed to Digital Access Authentication Server using the RADIUS protocol.

  3. The domain account is validated to the Active Directory or the Digital Access user DB for standalone accounts.

  4. Upon successful validation, the end user receives a SMS or an email with a OTP.

  5. The end user enters the OTP in Juniper Junos Pulse.

  6. The Digital Access Authentication Server validates the OTP.

  7. Upon successful validation, the authentication server responds with successful authentication to Juniper Junos Pulse.

Juniper Junos Pulse provides access to the end user.

Prerequisites

Make settings in Digital Access

Log in to Digital Access Admin

  1. Log in to Digital Access Admin with an administrator account.


Add Juniper Junos Pulse as a RADIUS client


In step 3, enter the IP address of the RADIUS Client (Juniper Junos Pulse) and the Shared Secret Key.

  1. In Digital Access Admin, go to Manage System.

  2. Click RADIUS Configuration > Add RADIUS Client...

  3. Enter General Settings and Attributes. Click the ?-sign for help.

  4. Click Save.


Enable authentication method

Nexus TruID Synchronized is used as an example. Other Nexus OTP authentication methods are enabled in a similar way.

  • In step 3, select Nexus Synchronized as method.

  • When the default RADIUS replies are shown, click Next. You can also add your custom RADIUS replies or modify the default replies if required.

To add a new authentication method:

  1. In Digital Access Admin, go to Manage System.

  2. Click Authentication Methods.

  3. Click Add authentication method..., select the desired method and click Next.

  4. Enter Display Name, a unique name used in the system to identify the authentication method.

  5. Select if the method shall be enabled and if it shall be visible in authentication menu.

  6. Register Authentication Methods Server when applicable.

  7. Make other configurations as needed for the selected authentication method. For more information , click the ?-sign. Click Next.

  8. If needed, make settings in RADIUS Replies and Extended Properties.

  9. Click Next and Finish.

  10. Click Publish.

Make settings in Juniper Junos Pulse

Add Digital Access as RADIUS Server when using Nexus TruID Synchronized

  1. Log in to the Juniper Junos Pulse administrative console.

  2. Create an Auth Server for the Nexus TruID Synchronized Authentication method.
    image2018-3-21_8-50-8.png

  3. Assign the newly created Auth server to a specific UAT_Realm.
    image2018-3-21_8-50-47.png


Add Digital Access as RADIUS Server when using Nexus Mobile Text

  1. Log in to the Juniper Junos Pulse administrative console.

  2. Create an Auth Server for the Nexus Mobile Text Authentication method.
    image2018-3-21_8-51-17.png

  3. Create Rules for prompting OTP challenge and Access Challenge Rule.
    image2018-3-21_8-51-36.png

  4. Create Access Reject Rule.
    image2018-3-21_8-51-54.png

  5. Assign the newly created Auth server to a specific UAT_Realm.
    image2018-3-21_8-52-23.png

Example: Log in to Juniper Junos Pulse

The following example shows how an end user logs in, using Nexus TruID synchronized. Other Nexus OTP methods can be used in a similar way. 

Example: Use Nexus TruID as 2FA to log in to Juniper Junos Pulse

  1. Start Nexus TruID that is installed on your laptop or smartphone - Enter your PIN to generate an OTP.

    ISA_Server_5.png ISA_Server_6.png

  2. Key-In domain login id and password along with the Nexus TruID OTP as shown below in the Passcode field.
    image2018-3-21_8-52-46.png

  3. You are logged into Juniper Portal to access the resources published for you.


Related information