Applies to Barracuda SSL VPN.
The Barracuda SSL VPN appliance can be configured to authenticate to a SafeWord server using the RADIUS feature of the product. Note that SafeWord requires an Active Directory database and Internet Authentication Server (IAS) installed on the Domain Controller.
The following are the steps to set up the Barracuda SSL VPN to use SafeWord for authentication:
- Install and configure the SafeWord Server
- Configure an IAS
- Create an Authentication Scheme that uses RADIUS authentication as one of the authentication stages
- Test the authentication process
If your SafeWord server is already installed, skip to the Configuring Safeword. Otherwise:
- Start the setup from the CD.
- Enter the serial number and click OK.
- More files will download from the update server before the installation starts.
- Click the top option, then Next. Visual C++ redistributable files along with additional update files are then downloaded.
- Safeword Server and Active Directory Management Console should already be selected. Scroll down to select IAS (RADIUS) Agent, and click Next.
- Change the Server Ports as required, then enter the Encryption and Signing Keys. Click Next.
- Make sure that the correct domain is entered, and click Next. More files will install before the installer will restart the Internet Authentication Service. This completes the installation process.
If your SafeWord server is already configured, skip to the Configuring IAS.
- Launch Active Directory Users and Computers.
- Expand the domain and click on the Safeword folder.
- Enter an administration password to be used with Safeword and click OK. A web page will appear asking for a new password for the User Center.
- Enter a new password and click Submit. Next, return to the Active Directory Users and Computers window and click on Import/Backup/Restore under Safeword.
- In the Import Tokens section, click Browse and navigate to the import file on the CD provided with the tokens. Click Import. Once you do so, a list of tokens that are available to be assigned to users will be listed in the Tokens section.
- Bring up the properties screen for a user to whom you want to assign a token, and select the Safeword tab. Enter the Token serial number and an option PIN code if you want to use one. Click Apply to activate the lower part of the properties page, where you can enter a passcode from the token to verify that it is working. If this test fails more than once, click the Re-sync button before trying again.
- While in the user properties, go to the Dial-in tab and select Allow access in the Remote Access Permission section.
If you haven't already done so, create a new RADIUS client in your Internet Authentication
- Start the Internet Authentication Service management console and create a new RADIUS client that points to your test client.
- For the Client Vendor, choose RADIUS Standard and enter a shared secret, i.e. a password.
- Using a tool such as NTRapPing, test the RADIUS response.
- Enter the server name, port 1812 and the secret key. Enter the username to test against and the passcode generated by the token (followed by the PIN if that option was set). Click Send and if working, you should see an Access-Accept response.
- Go back to IAS to create a RADIUS client that points to the IP address of the Barracuda SSL VPN.
Join the IAS to the Barracuda SSL VPN
Once both systems have been individually set up, you will need to join them to each other.
- On the Barracuda SSL VPN, go to Manage System > Advanced > Configuration and browse to the RADIUS section. Enter the IAS server address and shared secret. Set the Authentication Method to CHAP and click OK.
- Go to Manage System > Access Control > Authentication Schemes and create a new Scheme. Give it a descriptive name such as Safeword, and select both Password (primary) and RADIUS (primary) to configure a 2-layer authentication. If you decide to select just RADIUS on its own, then the appliance will prompt for the user's password whenever it is required for anything.
- If RADIUS is to be the default scheme, move it to the top of the list.
- Test the login process.
Link to this page: