Two-Factor Authentication for Pulse Connect Secure SSL VPN with Duo

(upbeat instrumental music) – [Instructor] Hi, I’m
Matt from Duo Security. In this video I’m going to show you how to protect your Pulse
Connect Secure SSL VPN with Duo. Be sure to reference the documentation for this configuration at Before starting the setup process, make sure that Duo is
compatible with your Pulse VPN. Log on to your administrator web interface and verify that your
firmware is version 8.2. In addition, you need to have a functional primary authentication configuration for your SSL VPN users, such as LDAP authentication
to active directory. (upbeat instrumental music) Log in to the Duo admin panel. (upbeat instrumental music) In the left side bar, click applications. Click “Protect an
application” and type juniper in the search bar. Under the entry for Juniper SSL VPN, click protect this application. Your integration key, secret
key, and API host name are provided at the top
of the properties page. You will need these later during setup. Click the link to download
the Duo Juniper 8.x package. This file is customized for your account and has your Duo account ID
appended to the file name. Note that Duo’s Juniper configuration is compatible with Pulse Connect Secure and you can change the display
name of this application at the bottom of the properties page. For easy reference, change
the name of this application to Pulse Connect Secure VPN. (upbeat instrumental music) Click save changes. (upbeat instrumental music) Now modify the sign in page. Log in to your Pulse Connect Secure administrator web interface. (upbeat instrumental music) In the top menu, navigate
to authentication, signing in, sign in pages. (upbeat instrumental music) Click upload custom pages. (upbeat instrumental music) In the name field, type Duo. Set page type to Access. (upbeat instrumental music) Next to templates file, click Browse and select the Duo Juniper zip file you downloaded from the admin panel. Do not select the “use custom page for Pulse desktop client logon” or “prompt the secondary credentials on the second page” options,
if they are present. Check the skip validation
checks during upload box. Click upload custom pages. You may ignore any warnings that appear. Next add the Duo LDAP server. Open a new browser window and navigate to (upbeat instrumental music) Scroll down to the “Add the
Duo LDAP Server” section of the documentation. There are strings you can
copy from this section to make setup easier. (upbeat instrumental music) In the top menu of your
administrator interface, navigate to authentication, auth servers. (upbeat instrumental music) In the auth server type
list, select LDAP server. Click new server. (upbeat instrumental music) In the name field, type Duo-LDAP. In the LDAP server field,
enter your API hostname from your application’s properties page in the Duo admin panel. (upbeat instrumental music) Set the LDAP port to 636. (upbeat instrumental music) In the LDAP server type
drop down, select generic. Next to connection, click
the radio button for LDAPS. In the authentication required section, check the “authentication
required to search LDAP” box. (upbeat instrumental music) Copy the admin DN string
from the documentation page and paste it in the admin DN field in the Pulse Secure web interface. (upbeat instrumental music) Replace the integration
underscore key variable with your integration key. (upbeat instrumental music) Then copy your secret key and paste it in the password field. In the finding user entries section, copy the string you used in
the admin DN section above and paste it in the base DN field. (upbeat instrumental music) Then copy the filter from
the documentation page and paste it in the filter
field in the web interface. (upbeat instrumental music) Click save. (upbeat instrumental music) After you click save, you
might receive a message indicating that the LDAP
server is unreachable. You can disregard this message. Now you need to configure a user realm for the Duo LDAP server. To accomplish this, you can
create a new realm for testing, create a realm to gradually
migrate users in the new system, or use the default users realm. For this video, we have already created a Duo users group that we will configure to use Duo for secondary authentication. In your VPN interface, navigate to users, user realms, and click the link for the user realm you want to add secondary authentication to. Under the additional
authentication servers section, select the “enable additional
authentication server” checkbox. (upbeat instrumental music) In the authentication number two field, select Duo-LDAP. Next to user name is,
select the radio button for predefined as and enterif it is not already present. (upbeat instrumental music) Next to password is, select the button for specified by user on sign in page. (upbeat instrumental music) Check the box for “end
session if authentication against this server fails”. (upbeat instrumental music) Click save changes. (upbeat instrumental music) Click the authentication policy tab at the top of the page
and then click password. (upbeat instrumental music) In the options for the additional authentication server section,
select “allow all users”. Click save changes. (upbeat instrumental music) To finish setting up your integration, configure a sign in policy
for secondary authentication. In this example we will use the default asterisk slash URL policy, but you can set up a new sign in policy at a custom URL like asterisk
slash Duo-testing for testing. In the top menu, go to authentication, signing in, sign in policies. (upbeat instrumental music) Click the link for the sign in policy that you want to modify. In the sign in page list, select Duo. (upbeat instrumental music) In the authentication realm section, select the radio button for “user picks from a list of authentication realms”. Choose the user realm
you configured earlier and click add. Make sure this is the only selected realm for this sign in page. Click save changes. (upbeat instrumental music) With everything configured, it is now time to test your setup. In your browser, navigate to the URL that you defined for your sign in policy. (upbeat instrumental music) After you complete primary authentication, the Duo Prompt appears. Using this prompt, users can enroll in Duo or complete two-factor authentication. Since this user has already
been enrolled in Duo, you can select send me a push, call me, or enter a passcode. Select “send me a push” to
send a Duo push notification to your smartphone. On your phone, open the notification, tap the green button to
accept, and you’re logged in. You have successfully set up
Duo two-factor authentication for you Pulse Connect Secure VPN. (upbeat instrumental music)

Leave a Reply

Your email address will not be published. Required fields are marked *