It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure RSA-ACE SecurID Authentication

  • Last updated on

RSA-ACE is a commonly used two-factor authentication method for the authentication of network and VPN users. When authenticating with an RSA-ACE server, users can sign in with the username and password, consisting of PIN and RSA SecurID provided by a token.

Before You Begin

  • RSA-ACE does not provide group information. To create groups, follow the instructions given in How to Configure Explicit Groups.
  • For authentication against the Barracuda CloudGen Firewall using an RSA-ACE authentication server, verify that the Clear Node Secret is properly set:
    rsa-ace.png
Step 1. Configure the RSA-ACE Server

Before configuring RSA-ACE authentication, you must prepare the RSA-ACE server.

  1. Create an Agent Host and add the users who want to authenticate over the Barracuda CloudGen Firewall.

    The hostname must be DNS resolvable (Box IP address of the Barracuda CloudGen Firewall and ACE-Server IP address). Time on the Barracuda CloudGen Firewall must be the same as on the ACE server.

    • Encryption – Select DES.
    • Type – Select Unix Agent.
  2. Click Assign Acting Server.

  3. Export the configuration to insert it in the RSA-ACE Authentication configuration as explained in Step 2.

Users who want to authenticate over proxy must be authenticated for the first time not over the Barracuda CloudGen Firewall because the PIN number validation is not supported.

If you want to use RSA-ACE authentification in a high-availability cluster, you have to configure both CloudGen Firewalls as separate nodes on the RSA-ACE server.

Step 2. Configure RSA-ACE Authentication
  1. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service.
  2. In the left navigation pane, select RSA-ACE Authentication.
  3. Click Lock.
  4. For Activate Scheme, select Yes from the menu list.
  5. In the Basic section, click +.
    rsa_ace_auth_settings_securID.png
  6. The Basic - AUTO-KEY26662 window opens.
  7. For RSA Hostname, enter the hostname of the RSA server.

    Note that the edit field for RSA port is already preset with the value 5555.

  8. For RSA Authentication Agent, enter the authentication agent hostname as configured with the RSA authentication manager.

  9. For RSA Client Key, enter the client key of the RSA authentication manager.
  10. The checkboxes for Verify RSA certificate's name, Verify RSA SSL peer, and Verify RSA SSL certificate status are preset by default. You can modify the status depending on your individual requirements.
  11. Click OK.
  12. If group information is queried from a different authentication scheme, select the scheme from the User Info Helper Scheme list.
  13. Click Send Changes and Activate.

RSA-ACE SecurID Authentication Through the Remote Management Tunnel

To allow remote CloudGen Firewalls to connect to the authentication server through the remote management tunnel, you must activate the outbound BOX-AUTH-MGMT-NAT Host Firewall rule. By default, this rule is disabled.