This solution applies to Barracuda SSL VPNs, all firmware versions.
One-Time Password (OTP) Authentication can be seen as an extension to Password Authentication. With Password Authentication the configured password is used numerous times until a defined expiration date is hit and the password needs to be changed. The expiration tends to be around a month or so but with OTP Authentication, the password can only be used once and once only – not only that, the expiration of the password is measured in minutes and not days so even the OTP’s existence is short lived. Any email-enabled device can receive OTPs. Meaning that your passwords may be sent by email to your inbox. Alternatively, if support for SMS via email is available in the country where the Barracuda SSL VPN resides, you can configure the OTP feature to send the password via email to an SMS gateway which will relay the message on to the user’s cell phone.
The options for configuring OTP authentication can be accessed from Management Console > Access Control > Security Settings > One-Time Password. There are a number of parameters required to successfully set up OTP authentication which are described below:
- Send Mode: The options are At login or Before login and expire. The default setting is At login. If configured as At login this will cause the message to be sent at the time that the OTP part of authentication occurs and the password will expire after it is used. If configured as Before login and expire will cause a message to be sent to the user with the password they should use for the next attempt to login. When the user logs in, the password will expire and a new message sent for use the next time they login. If the password is not used then it will still expire after the given period of time and a new password is sent.
- Notify users of Mode change: If enabled this will notify users of a change in the password Send Mode, enabled by default.
- Generation Type: Allows you to specify what type of password is generated. Options are Phonetic, Alpha, Numeric, Alpha Numeric, and ASCII. The default setting is Phonetic.
- Method of Password Delivery: The options are Email or SMS over Email. This will control which type of password delivery is used. The default is Email.
- Password Length: Sets the number of characters that will be in the password. The default is 8.
- Password at Login Expiry (secs): Sets the number of seconds before the password expires when Send Mode is set to At login, default is 300 seconds.
- Password Before Login Expiry (hrs): Sets the number of hours before the password expires. When Send Mode is set to Before login and expire, default is 24 hours
- Message Subject (email only): Sets the subject line of the email containing the password.
- Message Text: Sets the message text containing the password. Some replacement variables are used in order to show the password and the expiration time.
- Expired Subject (email only): Sets the subject line of the email sent when the Send Mode is changed.
- Expired Message: Sets the message text which is sent when the Send Mode is changed.
- Expiry Scheduler Period (secs): Sets the time between each scheduler cycle to check for expired passwords when Send Mode is set to At login, default is 60 seconds.
- Notify Users of Password Expiry: When enabled, sends users a message when the scheduler runs to warn of forthcoming password expiry when Send Mode is set to At login, default is enabled.
- Expiry Date Format: Sets the format of the expiry date sent in messages. The default is dd/mm/yyyy HH:mm.
Ultimately the configuration will be based on the Send Mode and Method of Delivery that are selected for use.
Link to This Page: