Connect with Duo users and security professionals in our Community.
Can't find what you're looking for? Contact Sales or Contact Support.
Duo integrates with your Juniper Networks Secure Access (SA) or Pulse Secure Connect Secure SSL VPN to add two-factor authentication to any VPN login, complete with inline self-service enrollment and Duo Prompt.
While these instructions reference the Juniper SA SSL VPN throughout, they also work with the Secure Connect SSL VPN from Pulse Secure. Please see the FAQ for more information about the Pulse transition.
See our alternate instructions if you'd like to control the "failmode" (how the system will act if network communication with Duo is interrupted) or integrate Duo into a single Juniper sign-in URL with multiple authentication realms.
Before starting to add two-factor authentication to your Juniper, make sure that Duo is compatible with your Juniper Networks Secure Access SSL VPN. Log on to your SA, IVE or MAG administrator interface and verify that your firmware is version 6.x, 7.x, or 8.x (up to 8.2)..
You should already have a working primary authentication configuration for your SSL VPN users before you begin to deploy Duo, e.g. LDAP authentication to Active Directory.
Then you'll need to:
This integration communicates with Duo's service on TCP port 636. Also, we do not recommend locking down your firewall to individual IP addresses, since these may change over time to maintain our service's high availability.
In the left menu, navigate to Authentication → Signing In → Sign-in Pages, click Upload Custom Pages..., and fill in the form:
Field | Value |
---|---|
Name | Duo-Juniper |
Page type | Access |
Templates file | Upload the Duo Juniper package zip file downloaded from the Duo Admin Panel earlier. |
Check the Skip validation checks during upload box.
Click Upload Custom Pages.
In the left menu, navigate to Authentication → Auth. Servers.
Select LDAP Server from the Auth Server Type list, click New Server, and fill out the form:
Field | Value |
---|---|
Name | Duo-LDAP |
LDAP Server | Your API hostname (i.e. api-XXXXXXXX.duosecurity.com ) |
LDAP Port | 636 |
LDAP Server Type | Generic |
Connection | LDAPS |
In the "Authentication required?" section, check the Authentication required to search LDAP box and fill in the form (replacing INTEGRATION_KEY and SECRET_KEY with your application-specific keys).
Field | Value |
---|---|
Admin DN | dc=INTEGRATION_KEY,dc=duosecurity,dc=com |
Password | SECRET_KEY |
In the "Finding user entries" section:
Field | Value |
---|---|
Base DN | dc=INTEGRATION_KEY,dc=duosecurity,dc=com |
Filter | cn=<USER> |
Click Save. (After you click Save you might receive a message indicating that the LDAP server is unreachable. You can disregard this message.)
To configure a user realm for the Duo LDAP server, you can do one or more of the following:
To configure a user realm:
On the Users realm configuration page, select the Additional authentication server check box and fill out the form:
Field | Value |
---|---|
Authentication #2 | Duo-LDAP |
Username is | predefined as <USERNAME> |
Password is | specified by user on sign-in page |
Check the End session if authentication against this server fails box.
Click Save Changes.
In the "Options for additional authentication server" section, select Allow all users.
Click Save Changes.
To finish setting up your integration, configure a sign-in policy for secondary authentication. In this example we'll use the default */
URL policy, but you can set up a new sign-in policy at a custom URL (like */Duo-testing/
) for testing.
Choose the user realm you configured earlier, and click Add to move it to the Selected realms box on the right. Make sure this is the only selected realm for this sign-in page.
Click Save Changes.
To test your Juniper two-factor authentication setup, go to the URL that you defined for your sign-in policy. After you complete primary authentication, the Duo enrollment/login prompt appears.
Need some help? Take a look at the Juniper Frequently Asked Questions (FAQ) page or try searching our Juniper Knowledge Base articles or Community discussions. For further assistance, contact Support.