Juniper Networks Secure Access SSL VPN

Duo integrates with your Juniper Networks Secure Access (SA) SSL VPN to add two-factor authentication to any VPN login, complete with inline self-service enrollment and authentication prompt.

Walkthrough Video

First Steps

Before starting to add two-factor authentication to your Juniper, make sure that Duo is compatible with your Juniper Networks Secure Access SSL VPN. Log on to your SA, IVE or MAG admin interface and verify that your firmware is version 6.x or 7.x or 8.x.

Then you’ll need to:

  1. Sign up for a Duo account
  2. Create a new Juniper SSL VPN integration to get an integration key, secret key, and API hostname. (See Getting Started for help.)
  3. Download the Duo Juniper integration package from the Duo administrative interface

(If you are configuring multiple Juniper integrations make sure to download the custom integration package for each integration. Each integration must use the specific integration package for that integration.)

Connectivity Requirements

This integration communicates with Duo’s service on TCP port 389. Also, we do not recommend locking down your firewall to individual IP addresses, since these may change over time to maintain our service’s high availability.

Modify the Sign-In Page

  1. Log on to your Juniper SSL VPN administrator web interface.
  2. In the left menu, navigate to Authentication → Signing In → Sign-in Pages, click Upload Custom Pages…, and fill in the form:

    Field Value
    Name Duo-v2
    Page type Access
    Templates file Upload the Duo Juniper package zip file.
  3. Check the Skip validation checks during upload box.

    Upload Custom Pages

  4. Click Upload Custom Pages.

Add the Duo LDAP Server

  1. In the left menu, navigate to Authentication → Auth. Servers.

    Select LDAP Server from the Auth Server Type list, click New Server, and fill out the form:

    Field Value
    Name Duo-v2-LDAP
    LDAP Server Your API hostname (i.e.
    LDAP Port 389
    LDAP Server Type Generic
    Connection Start TLS

    New LDAP Server Configuration

  2. In the “Authentication required?” section, check the Authentication required to search LDAP box and fill in the form (replacing INTEGRATION_KEY and SECRET_KEY with your integration-specific keys) .

    Field Value
    Admin DN dc=INTEGRATION_KEY,dc=duosecurity,dc=com
    Password SECRET_KEY
  3. In the “Finding user entries” section:

    Field Value
    Base DN dc=INTEGRATION_KEY,dc=duosecurity,dc=com
    Filter cn=<USER>

    Authentication User Entries

  4. Click Save. (After you click Save you might receive a message indicating that the LDAP server is unreachable. You can disregard this message.)

Configure a User Realm

To configure a user realm for the Duo LDAP server, you can do one or more of the following:

  1. Create a new realm for testing
  2. Create a realm to gradually migrate users to the new system (for instance, by duplicating an existing realm)
  3. Use the default Users realm

To configure a user realm:

  1. In the left menu, navigate to Users → User Realms and click the link for the user realm to which you want to add secondary authentication.
  2. On the Users realm configuration page, select the Additional authentication server check box and fill out the form:

    Field Value
    Authentication #2 Duo-v2-LDAP
    Username is predefined as <USERNAME>
    Password is specified by user on sign-in page
  3. Check the End session if authentication against this server fails box.

    User Realm Config

  4. Click Save Changes.

  5. In the top menu, navigate to Authentication Policy → Password.
  6. In the “Options for additional authentication server” section, select Allow all users.

    Password Limit

  7. Click Save Changes.

Configure the Sign-In Policy for Secondary Authentication

To finish setting up your integration, configure a sign-in policy for secondary authentication. In this example we’ll use the default */ URL policy, but you can set up a new sign-in policy at a custom URL (like */Duo-testing/) for testing.

  1. In the left menu, navigate to Authentication → Signing In → Sign-in Policies tab.
  2. Click the link for the sign-in policy that you want to modify.
  3. Select Duo-v2 from the Sign-in page list.
  4. In the “Authentication realm” section, choose User picks from a list of authentication realms….
  5. Choose the user realm you configured earlier, and click Add to move it to the Selected realms box on the right. Make sure this is the only selected realm for this sign-in page.

    Authentication Realm Config

  6. Click Save Changes.

Test Your Setup

To test your Juniper two-factor authentication setup, go to the URL that you defined for your sign-in policy. After you complete the primary authentication, Duo enrollment/login should appear.

Network Diagram

  1. SSL VPN connection initiated
  2. Primary authentication
  3. Juniper MAG/SA connection established to Duo Security over TCP port 389
  4. Secondary authentication via Duo Security’s service
  5. Juniper MAG/SA receives authentication response
  6. SSL VPN connection established