Deploy the YubiX virtual appliance to authenticate users on the Barracuda SSL VPN. After YubiXis installed, Barracuda SSL VPN can be configured to act as a RADIUS client.
- A YubiKey
- A VM host server to load the Virtual Appliance
- An external user database that both the SSL VPN and YubiX servers can connect to, such as Active Directory or LDAP.
Installing the YubiX virtual appliance
- Go to http://www.yubico.com.
- Download a virtual appliance of the YubiX. You will need to register on the Yubico website to download the virtual appliance image. Enter your registration details and click Submit. Yubico will send an email containing a link to the image. Click the link to download the image.
- Extract the VM from the zip.
- Edit the .
vmxfile, change the
8, and save the file.
Import the virtual machine into your VM host server (e.g., XenServer).
- Edit the machine settings, remove the Ethernet adapter, and add a new one. This allows the VM to connect to the network.
Configuring the YubiRADIUS virtual appliance
- After the virtual appliance has imported, start it and connect to the console. Log in with user yubikey and password yubico.
This example configuration uses DHCP by default.
- With a web browser, navigate to the IP address of the appliance. You can find it on the console. The YubiX Welcome screen opens.
Create a username and set and confirm the password.
Click Set credentials. You get prompted for YubiADMIN.
- Log in with the username and password you just created.
- In the left menu, select FreeRADIUS, then click the RADIUS Clients tab.
- Add a new RADIUS client to the bottom of the file, which should match the IP address of your SSL VPN. Choose a unique shared secret.
- Click Save.
- In the left menu, select YubiAuth, then click on Password Validation.
- Select the Authenticate users against LDAP check box.
- Enter a valid LDAP server URL and Bind DN for your AD/LDAP service.
- This configuration will use the YubiCloud validation servers. Verify and/or create access rules on your network’s firewall to allow outbound access on TCP ports 80 and 443 to api.yubico.com, api2.yubico.com, api3.yubico.com, api4.yubico.com, and api5.yubico.com.
- Get a client ID and API key:
- Go to https://upgrade.yubico.com/getapikey/
- Enter your email address that you used to register with Yubico.
- Select the password field, insert your YubiKey and select Get API Key to have Yubico enter the password for you.
- On the YubiAuth > OTP validation page, insert the resulting Client ID and Secret Key into the Client ID and API Key fields respectively and click Save.
You should now be able to do a test authentication locally on the YubiX box in the shell, using:
radtest user1 passwordcccccccccccbbtrtikevthrvhceudvvuveidihckgrgl 127.0.0.1 0 testing123
Sending Access-Request of id 51 to 127.0.0.1 port 1812
User-Name = "user1"User-Password = "testingcccccccccccbbtrtikevthrvhceudvvuveidihckgrgl"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=51, length=20
This will add that AD user into the Manage Users section and assign the Yubikey you used to that account.
You can now test with an external RADIUS client, such as NTRadPing, to see if external requests are being answered. Note that you must have a RADIUS client configured for the machine you test from.
Configuring Barracuda SSL VPN
- Log on to the Barracuda SSL VPN web interface as ssladmin.
- Navigate to ACCESS CONTROL > Authentication Schemes.
- Create a new authentication scheme that contains the RADIUS module (Select RADIUS, click Add). Select a policy that will be able to use this authentication (such as Everyone for example) and click Add. The new module will appear. This may be set as the default module by clicking More next to the item and choosing Increase Priority until it appears at the top of the list.
- Navigate to ACCESS CONTROL > User Databases and ensure you are connected to the same user database that YubiRADIUS is connected to. If not, edit the user database and alter the settings so that this is correct.
- Navigate to ACCESS CONTROL > Configuration and scroll to the RADIUS section.
- Enter the hostname or IP address for the YubiRADIUS appliance in the RADIUS Server field.
- Keep the ports the same.
- Enter the same shared secret as used in the YubiRADIUS RADIUS client configuration earlier.
- Set the Authentication Method to PAP.
You can keep all other default settings.
- Click Save Changes.
- You can now connect to the Barracuda SSL VPN via this user account. Enter the username and click Login.
- Enter the user’s user database password WITHOUT pressing Enter, and immediately press the YubiKey button (so that the password is a combination of the user’s password + the YubiKey password).
The user should now be logged on successfully: