We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda SSL VPN

How is OCSP Authentication configured on the Barracuda SSL VPN?

  • Type: Knowledgebase
  • Date changed: 8 years ago

Solution #00004619

 

Scope:

Applies to Barracuda SSL VPNs, firmware version 1.7 and above.

 

Answer:

OCSP (Online Certificate Status Protocol) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. OCSP is similar to CRL (Certificate Revocation List) but the parsing of the CRLs is done on the OCSP Responder instead of being done on the client side. As of firmware version 1.7 the Barracuda SSL VPN is able to support this form of authentication for accessing the SSL VPN UI.


 

To configure OCSP authentication for accessing the Barracuda SSL VPN it will be necessary to use Client Certificate authentication. Options specific to OCSP will need to be configured. Follow these steps:

  1. The Root CA from the OCSP server must be uploaded to the Advanced > SSL Certificates section of Barracuda SSL VPN. This will need to be imported with the Certificate Type A root CA certificate you trust for client certificate authentication. Important: If using a Chain Certificate make sure this is chained to the Root CA.

  2. Navigate to Resources > Security Settings > Client Certificates and set the following options:

    • Mode of Operation should be set to Accept Certificates.
    • Certificate Type should be set to Trusted Root CA.
    • Certificate Attribute should have the name of the attribute in the certificate.
    • User Database Attribute should be set to the attribute on the SSL VPN that holds user certificates. By default, this is certAttribute. The attribute will need to have a value in order to be used. This can be set by an administrator in the users Accounts page or the user can set it themselves under their own Attributes page.
    • OCSP Checking should be set to Enabled.
    • OCSP Responder should be set to the OCSP responder server URL.
In Access Control > Authentication Schemes create an Authentication Scheme that uses Client Certificate Authentication. Make sure that each user that will use this scheme has a value for the Certificate Attribute value. If using Active Directory this can be set in the Active Directory database.

Attempt to log in with a user using the authentication scheme. Select the Certificate when prompted. If using a form of OCSP that keeps the certificate on an external device (e.g. a key card) then the certificate will commonly be added to the web browser automatically. If not, then the certificate will need to be added to the web browser manually.

Link to this page:

https://campus.barracuda.com/solution/50160000000IB1OAAW