We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda SSL VPN

How can I use RSA SecurID with my Barracuda SSL VPN?

  • Type: Knowledgebase
  • Date changed: 8 years ago

Solution #00005384

 

Scope:

Applies to Barracuda SSL VPN.

 

Answer:

The Barracuda SSL VPN is able to make use of SecurID authentication using the RADIUS feature to provide communication between the RSA server and the appliance.

When combined with the Active Directory user database, this method is especially powerful since account management may now be centrally managed, with both the appliance and the

RSA Authentication Manager reading accounts from your Active Directory domain.

The following are the steps to set up the Barracuda SSL VPN to use RSA SecurID for authentication:

 

  1. Configure an Authentication Scheme that uses RADIUS authentication as one of the authentication stages
  2. Add an Agent Host Record for the Barracuda SSL VPN in order to allow communication between the appliance and the RSA server
  3. Add the appliance as a RSA RADIUS client
  4. Import tokens and add users
  5. Test the authentication process
  6. (Optional) Synchronize your Authentication Manager’s accounts database with your Active Directory domain controller

 

Configuring an Authentication Scheme that uses RADIUS

To begin setting up SecurID for authentication, you must first configure an authentication scheme that uses RADIUS.

  1. Browse to Manage System > Advanced > Configuration and configure the RADIUS settings:
    • RADIUS Server –The IP address of the RSA Authentication Manager RADIUS server.
    • Authentication Port – The port over which the RADIUS server is listening for
    • authentication requests.
    • Accounting Port – The port over which the RADIUS server is listening to for
    • accounting requests.
    • Shared Secret –The password that must be set on both the Barracuda SSL VPN
    • appliance and the Authentication Manager.
    • Authentication Method – This should be set to PAP (Password Authentication Protocol) unless otherwise instructed.
    • Time out – Seconds to wait for a response from the server before timing out upon authentication.
    • Authentication Retries – Number of times to re-attempt a timed-out authentication request.
  2. Browse to Manage System > Access Control > Authentication Schemes and configure a new authentication scheme that includes the RADIUS authentication. Create a new scheme.
  3. Assign authentication methods to the scheme. Add Password and also add RADIUS, to create a scheme with Password authentication as the primary method and RADIUS as the secondary method. Click Next.
  4. Choose the Policies to assign this authentication scheme to. For example, use the ‘Everyone’ policy to assign to all users. Review your settings and click Finish to create the new policy.

 

Add an Agent Host Record for the Barracuda SSL VPN

Next, you will need to create an Agent Host Record to allow the appliance and the RSA Authentication Manager to communicate with each other. This is done from within the Authentication Manager Control Panel software.

 

  1. Start the RSA Authentication Manager (named RSA Authentication Manager Host Mode on the Microsoft Windows Start Menu).
  2. Select Add Agent Host from the Agent Host menu. You will need to enter the values for your appliance such as network address.

 

Add the Barracuda SSL VPN as a RADIUS Client

Next, create an Agent Host Record to allow the appliance and the RSA Authentication Manager to communicate with each other. This is done from within the Authentication Manager Control Panel software.

 

  1. Start the RSA Authentication Manager (named RSA Authentication Manager Host Mode on the Microsoft Windows Start Menu).
  2. In RSA Authentication Manager, go to the RADIUS > Manage RADIUS Server. You will need to have assigned at least one token to the administrative user at this stage.
  3. You will now need to add a new RADIUS client: select the RADIUS Clients node and select Add from the toolbar. Fill out the dialog using the example below as a guide and click OK.

 

Your server is now added as a RADIUS client and able to talk to RSA Authentication Manager.

 

Importing and Assigning Tokens

You will need to assign tokens to your users if you have not already done so. Since both RSA

SecurID and the Barracuda SSL VPN support Active Directory authentication, you can either

configure Active Directory support in both and use your existing user account database, or

create accounts in the Built-in databases of RSA Authentication Manager and your appliance.

Make sure you have decided on your user database strategy before proceeding further.

  1. Start the RSA Authentication Manager (named RSA Authentication Manager Host Mode on the Microsoft Windows Start Menu).
  2. Select Token > Import Token.
  3. Now you will need to assign imported tokens to your users. Locate your user from User > Edit User, and choose the Assign Token button.
  4. Click on the Select Token from List... button to display the Select Token dialog.
  5. Click OK and the user will be assigned the RSA key fob.

 

Testing the Authentication Process

Once the RADIUS authentication is configured, verify the authentication process using your

RSA key fob. Since both Password and RADIUS methods are in the authentication scheme,

you will need to enter username, password and your SecurID one-time-password. The

following sample testing process assumes that this scheme is set as the default.

  1. Enter your username when prompted.
  2. The second stage prompts you for a password – this is the password for the user database you have currently configured i.e. Active Directory.
  3. If the password was accepted, a second password prompt will be shown. This prompt asks for the OTP displayed on the key fob.
  4. If you configured the key fob with a PIN, e.g. '4567', you will need to enter this followed by the SecurID token code displayed on the device. For example, if the device displays '441370' you should enter '4567441370' in this field.. If you do not have a PIN, simply enter the code displayed on the device.
  5. When successfully authenticated, you will be presented with the Favorites page.

 

Link to this page:

https://campus.barracuda.com/solution/50160000000IMtxAAG