To authenticate users with more than just their usernames and passwords, configure authentication schemes. Every authentication scheme comprises at least one authentication module, such as PINs, passwords, certificates, or one-time-passwords. You can add as many authentication modules as your security policy requires. You can also configure a secure, default authentication method and offer users an alternative method to log in. For example, you can require users to use their hardware token with client certification for normal logins, but allow them to log in with a password and PIN code if they are using a computer that cannot use hardware tokens.
Some authentication modules must be used with other authentication modules. These modules are referred to as "secondary" authentication modules because they require user information. Some modules can be used as primary or secondary authentication modules. The following table lists the type of each available authentication module:
|OTP (One-Time Passwords)||Secondary|
The Client Certificate module validates an SSL client certificate installed in the browser's certificate store against the root certificate that is uploaded to the Barracuda SSL VPN. The SSL client certificate can be installed manually, per Active Directory policy, or with a hardware token using the vendor's utility. It is recommended that you use the Client Certificate module as a secondary module, because it authenticates the browser and not the user directly. This is not the case when using hardware tokens or SSL client certificates containing user information that is checked when processing the login.
For more information, see How to Configure SSL Client Certificate Authentication.
The IP Address module is useful when users always log in from the same computer with the same IP address. You must manually specify the allowed IP address for every user. If a user tries to authenticate from a computer with a different IP address, the login attempt is denied.
To configure the IP Address module, go to the ACCESS CONTROL > Accounts page and specify the allowed IP address for each user. To let a user log in from any IP address, enter an asterisk (*).
Password authentication is the classic authentication module and is used for almost every account. Passwords can be used either from external authentication sources, such as an Active Directory server, or from the built-in user database. You can define a password policy to ensure that only safe passwords are used. Passwords for external authentication methods can only be changed if the appliance has read/write access.
For more information on external authentication, see How to Configure User Databases.
A PIN is a numeric password. Its length is configurable and usually varies between four and six digits. You can let users create their PINs during initial logins, or you can manually assign PINs. After a PIN's configured lifetime, it expires and the user is asked to create a new PIN during the next login. To prevent weak PINs, disable the use of sequential numbers (e.g., 1234).
To configure the PIN module, go to the PIN section on the ACCESS CONTROL > Security Settings page.
Public key authentication is one of the most secure methods of authentication, because the authentication information can be stored on a removable medium such as a USB key device. You can generate the key files for every user, or you can reset the public keys for everyone, letting users generate the keys during initial logins. After the key is generated, the login applet searches external media and the user's home directory for available keys. The user selects the correct key and enters the matching passphrase to complete the login.
For more information, see How to Configure Public Key Authentication.
External RADIUS servers can be queried by the appliance to authenticate users. RADIUS servers are often used for external authentication methods that require users to enter a secondary challenge password.
RADIUS servers are also integrated with some hardware token solutions. The hardware token generates a login passphrase and the RADIUS server interfaces with the external security appliance from the hardware token vendor, validating the string from the hardware key generator. Challenge images can be used in combination with RADIUS authentication.
Because the RADIUS server is an external authentication service, it is not managed by the appliance. You must verify that the user information hosted on the RADIUS server corresponds to the information stored in the user database on the Barracuda SSL VPN.
For more information, see Example - How to Install and Configure YubiX and Example - Authentication with SMS Passcode RADIUS server.
The Google Authenticator App generates time based one time passwords (TOTP). The Google authenticator authentication module can be used as a primary or secondary module. The user has to enter a Google Authenticator secret key or use the barcode to set up an account on your mobile device. The app will then generate six digit codes which are valid for thirty seconds until a new code is automatically generated.
For more information, see How to Configure Google Authenticator (TOTP) Authentication and Google Authenticator User Guide.
OTP (One-Time Password)
You can use one-time password (OTP) authentication as only a secondary authentication module. The OTP is generated by the appliance at login and is only valid for a short period of time. The OTP can be delivered by email or SMS (if an external SMTP to SMS service is available). If you do not want users to wait for OTPs during login, you can configure the appliance to deliver OTPs before login and set a longer expiration time (hours or days). If a user's OTP expires before it can be used, a new OTP is sent during the user's next login.
If you are using an external OTP system (e.g., SMS Passcode), configure it with a RADIUS server and not the OTP authentication module. External OTP systems interface with the Barracuda SSL VPN via the RADIUS server and not with the OTP authentication module.
For more information, see How to Configure One-Time Password (OTP) Authentication.
You can use the Personal Questions module as only a secondary authentication module. It does not require any external servers or configuration. When users initially log in, they are asked five questions and their answers are stored by the module.
To authenticate a user, the module randomly selects one of the preconfigured questions and compares the user input to the stored answer. If the user input matches the answer, the user is logged in.