It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure Access Control Policies for One-Time Password Authentication

  • Last updated on

TOTP authenticators, such as Google Authenticator or Microsoft Authenticator, use Time-Based One-Time Passwords (TOTP) generated by an app on your mobile device to authenticate the user. The app generates temporary six-digit numbers calculated from a shared secret and the current time. To be able to use this on the CloudGen Firewall, the TOTP app must be enrolled by the user in a two-step process. To associate TOTP authentication with user and group information, a helper scheme such as MSAD or LDAP must be configured. TOTP authentication is supported for CudaLaunch, the SSL VPN web portal, and the Barracuda VPN Client. For SSL VPN users to be able to self-enroll, they must be able to access the SSL VPN through an Access Control Policy that is not using TOTP as an authentication method. After all users are enrolled, the admin can then switch to an Access Control Policy requiring TOTP authentication. To be able to share the linked accounts over managed firewalls in a single HA cluster, use a repository entry.


Enrolling Mobile Devices

Before You Begin

Step 1. Configure an MFA Access Control Policy for TOTP Authentication

Configure an Access Control Policy using TOTP as the secondary authentication scheme.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > SSL-VPN.
  2. In the left menu, click Access Control Policies.
  3. Click Lock.
  4. Click + to add an Access Control Policy. The Access Control Policies window opens.
  5. Enter a Name and click OK.
  6. In the Access Control Policy section, select the Active check box.
  7. (optional) Add Allowed Groups and Blocked Groups.
  8. (optional) To use multi-factor authentication, add the primary authentication scheme:
    1. Click + to add the primary authentication scheme to the Authentication Scheme table. The Authentication Scheme window opens.
    2. From the Authentication Scheme drop-down list, select the primary authentication scheme. E.g., MS Active Directory, or LDAP
    3. Click OK.
  9. Click + to add TOTP to the Authentication Scheme table. The Authentication Scheme window opens.  
  10. In the Authentication Schemes window, set Authentication Scheme to Time-based_OTP.
  11. Click OK.  
  12. (optional) Click + to add Network Access Control criteria to the NAC Criteria table.
  13. Click OK.
  14. Click Send Changes and Activate.

Step 2. Activate the Access Control Policy for TOTP Authentication

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > SSL-VPN.
  2. In the left menu pane, click SSL VPN Settings.
  3. Click Lock.
  4. In the Access section, click and select the Access Control Policy created in Step 2.
  5. Click Send Changes and Activate.

Step 3. (Single HA Cluster Only) Create a Repository Entry and Link

To be able to share the linked TOTP authentication accounts over managed firewalls in a high availability cluster, use a repository entry and create repository links. The primary and secondary firewall must use the repository entry.

  1. Log into the Control Center.
  2. Go to Your Managed Firewall > Infrastructure Services.
  3. Expand the configuration node, right-click Time-based OTP Bulk Enrollment and click Copy To Repository. The Select Object window opens.
  4. Enter a Name for the new object.
  5. Click OK.
  6. Right-click Time-based OTP Bulk Enrollment again and click Lock.
  7. Right-click Time-based Bulk Enrollment again and click Link From Repository.
  8. Select the Repository entry you just created.
  9. Click OK.
  10. Click Activate.

You can now link this repository entry to the secondary firewall in your HA cluster.