Use the Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAP V2) to authenticate VPN clients over L2TP/PPTP (mutual authentication between peers) or to authenticate HTTP Proxy users. The firewall must join the domain before using MS-CHAP authentication.
Connecting to Read-only Domain Controllers
In addition to the adding the hostname for the Barracuda CloudGen Firewall, you must verify that the password for the user account used in the Helper Scheme is cached on the read-only domain controller.
Before You Begin
- Enable SMBv2 on the Windows Domain Controller.
Step 1. Configure MS-CHAP Authentication
- Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service.
- In the left menu, select MS-CHAP Authentication.
- From the Configuration Mode menu on the left, select Switch to Advanced View.
- Click Lock.
- Enable MS CHAP as external directory service.
Choose the NTLM protocol version supported by your authentication service.
In the Domain Realm field, enter the name of the Windows domain that is queried by the authenticator.
If the NetBIOS domain name differs from the MS Active Directory domain name, specify the NetBIOS Domain Name.
- Enter the MS Active Directory Workgroup Name if the workgroup name is different from the MS Active Directory domain name (Domain Realm).
In the Domain Controller field, enter the IP address of the domain controller.
In the WINS Server field, enter the IP address of the domain’s Windows Internet Name Service (WINS) server.
- If group information is queried from a different authentication scheme, select the scheme from the User Info Helper Scheme list. For example, select MSAD if MS-CHAP is used for identity verification but group information must be queried from MSAD.
- Click Send Changes and Activate.
Step 2. Add the Barracuda CloudGen Firewall to a Windows Domain
- Go to CONTROL > Box.
- In the left menu, expand Domain Control and click Register at Domain.
Verify that the Barracuda CloudGen Firewall is joined to the domain by clicking Show Registration Status in CONTROL > Box > Domain Control.