The Barracuda Web Application Firewall supports SMS Passcode’s advanced two-factor authentication solution using the mobile phone SMS network. SMS Passcode provides strong authentication security as the passcodes are challenge based, session based, and time constrained. Passcodes are randomly generated and sent via SMS to your mobile phone or to your configured email address.
Configure the Barracuda Web Application Firewall
- Create a HTTP/HTTPS Service on the BASIC > Services page.
- Create a RADIUS authentication service on the ACCESS CONTROL > Authentication Services page. Ensure that the server IP address is pointing to the Windows RADIUS server that SMS Passcode uses.
- Navigate to the ACCESS CONTROL > Authentication page, click Edit next to the aervice to enable authentication policy and to choose the RADIUS authentication service with SMS Passcode from the Authentication Service drop-down list.
- If you wish to display a custom challenge page, configure the custom URL and query string fields in the authentication policy. Ensure that your challenge page receives these query string fields and displays the prompt, and includes the username in its login form (usually as a hidden input). For more information, see How to Set Up a Custom Challenge Page for Authentication.
- Configure the authorization policy as desired.
Verify the Setup and Authentication Process
- Navigate to the restricted URL by entering the IP address into the address bar of your web browser.
- The default authentication page, or the custom login page for authentication if you have configured it on ACCESS CONTROL > Authorization, will be presented. For information on creating a custom login page, see How to Set Up a Custom Login Page for Authentication. You will be prompted to enter your username and password. Enter username and password, click Login.
- Now, the user is redirected to the default challenge page or custom challenge URL (if configured), and a passcode is sent via SMS to the user’s phone.
- Enter the passcode and click Login.
- Now, the user should see the originally requested page.