MFA for Juniper VPN

Juniper VPN MFA

Juniper VPN, also known as Juniper Secure Connect, is a VPN suite from Juniper Networks that's widely used by organizations to grant remote employees with secured access to resources within their domain networks. These resources often contain sensitive data and can be a target for cybercriminals, as shown by the pre-auth remote code execution (RCE) vulnerability that affected enterprises employing Juniper VPN. While Juniper VPN does employ a strong authentication process to thwart attacks, it's always beneficial to adopt additional security measures.

ManageEngine ADSelfService Plus is a comprehensive MFA solution that enhances the security of Juniper VPN logins. The solution delivers advanced authentication options, conditional access policies, and customizable configuration and auditing features, ensuring heightened protection for remote users against various cyberthreats. Additionally, ADSelfService Plus helps organizations maintain compliance with key regulations and standards such as the NIST SP 800-63B, the GDPR, HIPAA, and the PCI DSS.

Explore advanced authenticators for Juniper VPN

ADSelfService Plus supports the following authenticators for Juniper VPN MFA:

Biometrics and TOTP are possession- and inherence-based authentication methods that are considered significantly more secure than knowledge-based factors. Using them to create your MFA policy can ensure protection from dictionary attacks, phishing, keylogging, and other forms of password attacks .

Enabling MFA for Juniper VPN

ADSelfService Plus features an intuitive administrator portal crafted for comprehensive, fine-grained configuration of your VPN MFA policies. Administrators can create and apply various MFA policies tailored to Juniper VPN users from organizational units and groups within a specific domain. They also can select preferred authenticators for each policy, ensuring that users only undergo MFA processes aligned with their enterprise privileges.

Once Juniper VPN is set up with ADSelfService Plus, the login process is as follows:

1. The user opens Juniper VPN.
2. The user completes the first stage of authentication using their AD domain credentials.
3. If successful, ADSelfService Plus initiates the MFA process involving up to three stages of authentication.
4. Once the user completes the MFA process, they are logged into Juniper VPN

The VPN MFA process in ADSelfService Plus can also handle vendor-specific RADIUS attributes, which may influence access and authorization. The solution utilizes an NPS extension to forward RADIUS requests from the Juniper VPN server to ADSelfService Plus, and then sends the RADIUS accept status back to the VPN server once the MFA process is successfully completed. This response can also include custom attributes from Juniper VPN, such as group membership, resource permissions, and authorization details, which are carried over during the RADIUS request.

Explore an interactive demo of the VPN MFA process!

Benefits of ADSelfService Plus' VPN MFA

• Conditional access: ADSelfService Plus' conditional access feature enhances VPN MFA by applying specific authentication policies that evaluate conditions like IP address, geolocation, device type, and time of access before granting access. For example, MFA might be pared down only if the user is logging in from a trusted network and using a compliant device during work hours. This approach ensures that only secure, verified access attempts are successful, reducing the risk of unauthorized access while improving security posture.
• Real-time audits: ADSelfService Plus offers detailed, built-in reports that audit users' MFA attempts, and log crucial information including the time of MFA attempt, device type, IP address, and authenticator used. These logs can also be sent to a SIEM solution for further analysis and actionable response.
• Holistic endpoint protection: ADSelfService Plus doesn't stop at securing just VPN logins. The solution's expansive MFA feature fortifies all crucial endpoints in an enterprise including machines, enterprise applications, Microsoft OWA, and IIS applications. This helps enterprises formulate an enterprise-wide identity security strategy that is comprehensive and yet tailor-made for each department.

Supported VPN providers:

ADSelfService Plus' VPN MFA capability is built on the standard RADIUS protocol and supports all RADIUS-based VPN providers including:

You can also enable MFA to secure non-VPN RADIUS endpoints such as Citrix Gateway, Microsoft Remote Desktop Gateway, and VMware Horizon View.