Do you have Junos devices? If you do, excellent choice. Do you have MiToken? Once again, love your work there. If you don't have MiToken, it's a plug-in to the M$ IAS/NPS servers that allows mutiple types of hard and soft tokens to be used allowing secure OTPs with dual factor authentication with your Active Directory domain(s).
This post will guide you though configuring Junos to use MiToken for two factor authentiucation to help hardern your Junos devices.
Junos Device Config:
Now go jump into Junos configuration mode and set the following:
# Add radius to the password auth order
set system authentication-order radius
set system radius-server x.x.x.x port 1812
set system radius-server x.x.x.x secret "SECRET"
set system radius-server x.x.x.x timeout 10
set system radius-server x.x.x.x retry 2
set system radius-server x.x.x.x source-address x.x.x.x
# Block everyone access by default
set system login user remote full-name Radius-User
set system login user remote class unauthorized
# Create users who should get access
set system login user john full-name "John Smith"
set system login user john class super-user
MiToken / NPS Configuration:
Now lets configure the MiToken side to accept radius packets from our Junos device(s). The only down side to MiToken is it runs on Windows :-(.
1) Define a Radius client in NPS
Right click on radius clients and choose 'New RADIUS Client'
2) Define a connection request policy
Set up your policy to identify your Junos devices ... For more information refer to the MiToken Admin guide.
This step is optional. You do not have to require Windows Authentication to be active - This would take you back to single factor OTP auth
3) Enable MiToken on the connection request policy for Junos devices
Enjoy you radius dual factor authentication. Your auditors and boss will now love you. Hit them up for a raise.
Send some praise Cooper's way 🙂