We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure Access Control Policies for One-Time Password Authentication

  • Last updated on

TOTP authenticators, such as Google Authenticator or Microsoft Authenticator use Time-Based One-Time Passwords (TOTP) generated by an app on your mobile device to authenticate the user. The app generates temporary six-digit numbers calculated from a shared secret and the current time. To be able to use this on the CloudGen Firewall, the TOTP app must be enrolled by the user in a two-step process. To associate TOTP authentication with user and group information, a helper scheme such as MSAD or LDAP must be configured. TOTP authentication is supported for CudaLaunch, the SSL VPN web portal, and the Barracuda VPN Client. For SSL VPN users to be able to self-enroll, they must be able to access the SSL VPN through an Access Control Policy that is not using TOTP as an authentication method. After all users are enrolled, the admin can then switch to an Access Control Policy requiring TOTP authentication. To be able to share the linked accounts over managed firewalls in a single HA cluster, use a repository entry.

auth_02.png

Enrolling Mobile Devices

Before You Begin

Step 1. Enable Self Enrollment for Users and Groups using Time-based OTP

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > SSL-VPN.
  2. In the left menu, click Time-based OTP.
  3. Click Lock.
  4. Select yes to Enable the TOTP Self Service.
  5. From the Authentication Scheme drop-down list, select your authentication scheme. E.g., MS Active Directory.
    enable_totp_ssl_auth.png
  6. In the Self Enrollment section,
    1. Select yes to Enable Self Enrollment.
    2. In the Allowed User Groups field, add the users that should be enrolled for TOTP authentication: Delete the asterisk and enter the MSAD group name. E.g., CN=sales
    3. In the Blocked User Groups field, add the users that should be blocked from self-enrolling.
  7. (optional) Import your company Logo and customize the Login Message for your users.
  8. Click Send Changes and Activate.

Step 2. Configure a MFA Access Control Policy for TOTP Authentication

Configure an Access Control Policy using TOTP as the secondary authentication scheme.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > SSL-VPN.
  2. In the left menu, click Access Control Policies.
  3. Click Lock.
  4. Click + to add an Access Control Policy. The Access Control Policies window opens.
  5. Enter a Name and click OK.
  6. In the Access Control Policy section, select the Active check box.
    activate_auth_scheme_00.png
  7. (optional) Add Allowed Groups and Blocked Groups.
  8. (optional) To use multi-factor authentication, add the primary authentication scheme:
    1. Click + to add the primary authentication scheme to the Authentication Scheme table. The Authentication Scheme window opens.
      add_authentication_scheme_00.png
    2. From the Authentication Scheme drop-down list, select the primary authentication scheme. E.g., MS Active Directory, or LDAP
      add_authentication_scheme01.png
    3. Click OK.
  9. Click + to add TOTP to the Authentication Scheme table. The Authentication Scheme window opens.  
  10. In the Authentication Schemes window, set Authentication Scheme to Time-based_OTP.
    set_auth_scheme_totp_00.png
  11. Click OK. 
  12. (optional) Click + to add Network Access Control criteria to the NAC Criteria table.
  13. Click OK.
  14. Click Send Changes and Activate.

Step 3. Activate the Access Control Policy for TOTP Authentication

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > SSL-VPN.
  2. In the left menu pane, click SSL VPN Settings.
  3. Click Lock.
  4. In the Access section, click and select the Access Control Policy created in Step 2.
    add_authentication_scheme02.png
  5. Click Send Changes and Activate.

Step 4. (Single HA Cluster only) Create a Repository Entry and Link

To be able to share the linked TOTP authentication accounts over managed firewalls in a high availability cluster, use a repository entry and create repository links. The primary and secondary firewall must use the repository entry.

  1. Log into the Control Center.
  2. Go to Your Managed Firewall > Infrastructure Services.
  3. Expand the configuration node, right-click Time-based OTP Bulk Enrollment and click Copy To Repository. The Select Object window opens.
  4. Enter a Name for the new object.
    totp_auth_repository_01.png
  5. Click OK.
  6. Right-click Time-based OTP Bulk Enrollment again and click Lock.
  7. Right-click Time-based Bulk Enrollment again and click Link From Repository.
    totp_auth_repository_02.png
  8. Select the Repository entry you just created.
    totp_auth_repository_03.png
  9. Click OK.
  10. Click Activate.

You can now link this repository entry to the secondary firewall in your HA cluster.

totp_auth_repository_04.png

Last updated on