We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure the Azure Multi-Factor Authentication Server for VPN Client Authentication

  • Last updated on

Install an Azure Multi-Factor Authentication (MFA) server and configure RADIUS authentication with the CloudGen Firewall as RADIUS client. The Azure MFA server supports only PAP and MSCHAPv2 when acting as a RADIUS server. 

Configure the MFA Server

  1. Install your MFA server as described in https://docs.microsoft.com/en-gb/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-radius.
  2. On the MFA server, configure RADIUS authentication with the CloudGen Firewall as RADIUS client. Ideally, enable Require Multi-Factor Authentication user match, but you can also import/create the users manually.
  3. In the MFA RADIUS authentication, you can assign a group in one of two ways:
    • To set one manually, go to Attributes on the MFA server, add Login-LAT-Group, and provide a value. Note that the firewall expects a group provided from the RADIUS server.
      mfa01.png
      Or:
    • The CloudGen Firewall can take the groups from Active Directory if LDAP servers are available. For more information, see How to Configure MSAD Authentication.

Configure RADIUS Authentication on the CloudGen Firewall

  1. On the firewall, go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service.
  2. In the left navigation pane, select RADIUS Authentication.
  3. Click Lock.
  4. From the Configuration Mode menu on the left, select Advanced View.
  5. Enable the RADIUS scheme and add a new RADIUS server. Configure the settings with the correct IP address and port to match your MFA server details. For more information, see How to Configure RADIUS Authentication.
    • In combination with manual group setup, leave Group Attribute values as default.
    • To allow the firewall to look up the users group via the MSAD scheme:
      1. Set User Info Helper Scheme to MSAD.
      2. Set OTP Preserves State to Yes.
        mfa02.png
  6. In the left navigation pane, select Timeouts and Logging.
  7. Increase the Request Timeout [s] value from 10 to 130. (You may need to increase this value if your users are struggling to authenticate in time.)
  8. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > VPN Settings.

  9. Click the Click here for Server Settings link. 
  10. Increase the value for Handshake Timeout (sec) to 30. (You may need to increase this value if users are struggling to complete authentication in time.)
    mfa03.png
  11. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > Client to Site.
  12. Go to External CA and click the Rules tab.
  13. Select Click here for options and select radius as the Default Authentication Scheme. If you are not using MSAD as the Group Helper, configure the VPN group attribute value found to match the value you provided.
    mfa04.png
  14. Click Send Changes and Activate.
  15. On the VPN clients, you may also need to go into the Advanced Settings of the profile and adjust the Connect Timeout from the default of 10 to 60 (or greater) to give users enough time to complete the process.
    The more complex the method, the more time users will need.
  16. Configure the remaining settings as recommended at Client-to-Site VPN.

MFA Validation Methods

In the Microsoft MFA methods, you can configure the method either globally (Company Settings) or per user.

mfa_valid.png

To enable the OTP via text message, two configuration steps are required:

  1. As indicated in the User- or Company Settings, configure Text message with One-Way OTP or OTP plus PIN. If you use OTP plus PIN, the OTP and the PIN must be entered as one value. For example: 123459876
  2. To support OTP via the firewall:
    1. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service.
    2. In the left navigation pane, select RADIUS Authentication.
    3. Make sure that OTP Preserves State is set to Yes.
      mfa02.png
Last updated on