It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda SSL VPN

This Product is End-of-Life and End-Of-Support

End-Of-Life and End-Of-Support on December 1st, 2020: All Barracuda SSL VPN sales will cease; neither new sales nor any renewals will be available. If you currently hold a maintenance and support contract, you will continue to receive our award-winning support and services until your contract expires. Please see the End-Of-Life definition as described in the End of Support and End of Life Information.

Example - How to Install and Configure YubiX

  • Last updated on

Deploy the YubiX virtual appliance to authenticate users on the Barracuda SSL VPN. After YubiXis installed, Barracuda SSL VPN can be configured to act as a RADIUS client.

Prerequisites

  • A YubiKey
  • A VM host server to load the Virtual Appliance
  • An external user database that both the SSL VPN and YubiX servers can connect to, such as Active Directory or LDAP.

Installing the YubiX virtual appliance

  1. Go to http://www.yubico.com.
  2. Download a virtual appliance of the YubiX. You will need to register on the Yubico website to download the virtual appliance image. Enter your registration details and click Submit. Yubico will send an email containing a link to the image. Click the link to download the image. 
  3. Extract the VM from the zip.
  4. Edit the .vmx file, change the config.version from 7 to 8, and save the file.
  5. Import the virtual machine into your VM host server (e.g., XenServer).
    yrd_v_app1.png

  6. Edit the machine settings, remove the Ethernet adapter, and add a new one. This allows the VM to connect to the network.

Configuring the YubiRADIUS virtual appliance

  1. After the virtual appliance has imported, start it and connect to the console. Log in with user yubikey and password yubico.
    yrd_v_app_01.png 

    This example configuration uses DHCP by default.
  2. With a web browser, navigate to the IP address of the appliance. You can find it on the console. The YubiX Welcome screen opens.
    yrd_v_app_02.png 
  3. Create a username and set and confirm the password.

  4. Click Set credentials. You get prompted for YubiADMIN.
    yrd_v_app_03.png

  5. Log in with the username and password you just created.
  6. In the left menu, select FreeRADIUS, then click the RADIUS Clients tab.
  7. Add a new RADIUS client to the bottom of the file, which should match the IP address of your SSL VPN. Choose a unique shared secret.
    yrd_v_app_04.png
  8. Click Save.
  9. In the left menu, select YubiAuth, then click on Password Validation.
  10. Select the Authenticate users against LDAP check box.
  11. Enter a valid LDAP server URL and Bind DN for your AD/LDAP service.
    yrd_v_app_05.png
  12. This configuration will use the YubiCloud validation servers. Verify and/or create access rules on your network’s firewall to allow outbound access on TCP ports 80 and 443 to api.yubico.com, api2.yubico.com, api3.yubico.com, api4.yubico.com, and api5.yubico.com.
  13. Get a client ID and API key:
    1. Go to https://upgrade.yubico.com/getapikey/
    2. Enter your email address that you used to register with Yubico. 
    3. Select the password field, insert your YubiKey and select Get API Key to have Yubico enter the password for you.
      yrd_v_app_06.png 
  14. On the YubiAuth > OTP validation page, insert the resulting Client ID and Secret Key into the Client ID and API Key fields respectively and click Save.
    yrd_v_app_07.png 

You should now be able to do a test authentication locally on the YubiX box in the shell, using:

radtest user1 passwordcccccccccccbbtrtikevthrvhceudvvuveidihckgrgl 127.0.0.1 0 testing123
Sending Access-Request of id 51 to 127.0.0.1 port 1812

User-Name = "user1"
User-Password = "testingcccccccccccbbtrtikevthrvhceudvvuveidihckgrgl"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0

rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=51, length=20

This will add that AD user into the Manage Users section and assign the Yubikey you used to that account.

yrd_v_app_users.png

You can now test with an external RADIUS client, such as NTRadPing, to see if external requests are being answered. Note that you must have a RADIUS client configured for the machine you test from.

Configuring Barracuda SSL VPN

  1. Log on to the Barracuda SSL VPN web interface as ssladmin.
  2. Navigate to ACCESS CONTROL > Authentication Schemes
  3. Create a new authentication scheme that contains the RADIUS module (Select RADIUS, click Add). Select a policy that will be able to use this authentication (such as Everyone for example) and click Add. The new module will appear. This may be set as the default module by clicking More next to the item and choosing Increase Priority until it appears at the top of the list. 
    yrd_v_app21.png
  4. Navigate to ACCESS CONTROL > User Databases and ensure you are connected to the same user database that YubiRADIUS is connected to. If not, edit the user database and alter the settings so that this is correct.
    yrd_v_app22.png
  5. Navigate to ACCESS CONTROL > Configuration and scroll to the RADIUS section.
    1. Enter the hostname or IP address for the YubiRADIUS appliance in the RADIUS Server field.
    2. Keep the ports the same.
    3. Enter the same shared secret as used in the YubiRADIUS RADIUS client configuration earlier.
    4. Set the Authentication Method to PAP.
      You can keep all other default settings.
    5. Click Save Changes

      yrd_v_app23.png

  6. You can now connect to the Barracuda SSL VPN via this user account. Enter the username and click Login
    yrd_v_app24.png 
  7. Enter the user’s user database password WITHOUT pressing Enter, and immediately press the YubiKey button (so that the password is a combination of the user’s password + the YubiKey password)
    yrd_v_app25.png 
    The user should now be logged on successfully: 
     yrd_v_app26.png