Applies to Barracuda SSL VPNs, firmware version 1.7 and above.
OCSP (Online Certificate Status Protocol) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. OCSP is similar to CRL (Certificate Revocation List) but the parsing of the CRLs is done on the OCSP Responder instead of being done on the client side. As of firmware version 1.7 the Barracuda SSL VPN is able to support this form of authentication for accessing the SSL VPN UI.
To configure OCSP authentication for accessing the Barracuda SSL VPN it will be necessary to use Client Certificate authentication. Options specific to OCSP will need to be configured. Follow these steps:
- The Root CA from the OCSP server must be uploaded to the Advanced > SSL Certificates section of Barracuda SSL VPN. This will need to be imported with the Certificate Type A root CA certificate you trust for client certificate authentication. Important: If using a Chain Certificate make sure this is chained to the Root CA.
- Navigate to Resources > Security Settings > Client Certificates and set the following options:
- Mode of Operation should be set to Accept Certificates.
- Certificate Type should be set to Trusted Root CA.
- Certificate Attribute should have the name of the attribute in the certificate.
- User Database Attribute should be set to the attribute on the SSL VPN that holds user certificates. By default, this is certAttribute. The attribute will need to have a value in order to be used. This can be set by an administrator in the users Accounts page or the user can set it themselves under their own Attributes page.
- OCSP Checking should be set to Enabled.
- OCSP Responder should be set to the OCSP responder server URL.
Attempt to log in with a user using the authentication scheme. Select the Certificate when prompted. If using a form of OCSP that keeps the certificate on an external device (e.g. a key card) then the certificate will commonly be added to the web browser automatically. If not, then the certificate will need to be added to the web browser manually.
Link to this page: