This solution applies to Barracuda SSL VPNs, all firmware versions.
When logging into SSL VPN you may sometimes get prompted for your password, even though you selected an authentication scheme that does not contain the Password module.
SSL VPN allows the storage of confidential attributes. These attributes are stored securely on the server by encrypting them with a public/private key pair. In order to protect this data the private key must be encrypted using a suitable pass phrase.
The default behavior of SSL VPN is to encrypt this private key using the user?s SSL VPN password. When logging in using an Authentication Scheme that uses the password module, these attributes automatically get decrypted for the user. However, if the user logs on using a scheme which does not use password, such as Client Certificates, then when logging in for the first time after a restart of the server the user will be prompted to enter their password so that the server can decrypt the key and gain access to the confidential attributes. The user will also be prompted to enter their old password if the password changes outside of SSL VPN, for example in an Active Directory environment.
You can change this behavior using the options under Access Control > Security Settings in the Confidential Attributes section. If Confidential Mode is set to Prompt, the user will be required to enter a unique pass phrase independent of their password, if set to Disabled the user will not be prompted and confidential attributes will not be encrypted.
Link to This Page: