We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

How to Integrate RSA SecurID with the Barracuda Web Application Firewall

  • Last updated on

 

The Barracuda Web Application Firewall can be configured as a RADIUS client to the RSA SecurID Server System, comprised of the RSA Authentication Manager and the Radius Server. Integrating the Barracuda Web Application Firewall with RSA SecurID requires three steps:

  1. Configure the RSA Authentication Manager.
  2. Configure the Barracuda Web Application Firewall.
  3. Verify the Setup and Authentication Process.

Configure the RSA Authentication Manager

Perform the following settings on the RSA Authentication Manager Server:

  1. Configure the RADIUS protocol settings to be used by the Barracuda Web Application Firewall
  2. Add the Barracuda Web Application Firewall as an Agent Host within the RSA Authentication Manager's Database
  3. Import SecurID Tokens
  4. Add Users to the RSA Authentication Manager and Assign Tokens

Configure the RADIUS Protocol Settings

  1. Before configuring the RADIUS protocol, ensure the RADIUS server is up and running on the RSA Authentication Manager Server System. To check:
    1. Go to Start > Programs > RSA Security and select RSA Authentication Manager Control Panel.
    2. Select Start & Stop RSA Auth Mgr Services in the tree on the left pane. The Status of RSA RADIUS Server must be Running. If not, click Start RADIUS to bring it up.
  2. On the RSA Authentication Manager Server System, go to Start > Programs > RSA Security and select RSA Authentication Manager Host Mode. Select the RADIUS menu, and select Manage RADIUS Server.
  3. When the RSA RADIUS window appears, select RADIUS Clients in the tree on the left pane.
  4. Click Add. The Add RADIUS Client window appears.
                  WAFRSA1.png
  5. Specify values for the following fields:
    1. Name Enter the hostname of the Barracuda Web Application Firewall.
    2. Description – Optional.
    3. IP Address Enter the IP address of the Barracuda Web Application Firewall.
    4. Shared Secret – Type the secret key. You will need to configure the same Shared Secret on the Barracuda Web Application Firewall in ACCESS CONTROL > Authentication Services > RSA SECURID.
    5. Make/Model Select Juniper-ERX.
  6. Click OK to save your settings.

Add the Barracuda Web Application Firewall as an Agent Host

  1. On the RSA Authentication Manager Server System, go to Start > Programs > RSA Security and select RSA Authentication Manager Host Mode.
  2. Select the Agent Host menu, and select Add Agent Host. The Add Agent Host window appears.

  3. Specify values for the following fields:
    1. Name: Enter the hostname of the Barracuda Web Application Firewall.
    2. Network Address: Enter the IP address of the Barracuda Web Application Firewall.
    3. Agent Type: Select RADIUS Server.
    4. Encryption Type: Select DES or SDI encryption.
    5. Select Open to All Locally Known Users and Requires Name Lock.
  4. Click User Activations... to assign users to the Agent host.
                   AddAgentHost.png

  5. Click OK. Now, the Barracuda Web Application Firewall is added as an Agent Host on the RSA Authentication Manager.

Import SecurID Tokens

  1. On the RSA Authentication Manager Server System, go to Start > Programs > RSA Security and select RSA Authentication Manager Host Mode.
  2. From the Token menu, select Import Tokens.
  3. Navigate to the token XML file provided by RSA and click Open to import the tokens.
  4. The Import Status window appears displaying the number of tokens imported.

                      ImportToken.png

Add Users to the RSA Authentication Manager and Assign Tokens

On the RSA Authentication Manager Server System, go to Start > Programs > RSA Security and select RSA Authentication Manager Host Mode.

  1. From the User menu, select Add User.
                AddUser.png
  2. The Add User window appears. Specify values for the following fields:
    1. First and Last Name Enter a user's first and last name.
    2. Default Login Enter the default username that will be used by the user to log in.
  3. Users on the RSA Server can be authenticated in two ways: Token Mode or Passcode Mode(default). In Token Mode, users authenticate using the Tokencode currently generated by the RSA SecurID authenticator. In Passcode Mode, users authenticate using a Passcode (Personal Identification Number (PIN) followed by the Tokencode).

    The random unpredictable code generated by the RSA SecurID authenticator at an interval of every 60 seconds is known as Tokencode.

    The combination of user’s PIN (Personal Identification Number) and the Tokencode currently generated by the user’s RSA SecurID authenticator is the user’s Passcode.


    A PIN can be generated:

    1. If Allowed to Create a PIN or Required to Create a PIN is NOT selected, the system generates the PIN and gives it to the user.
    2. If Allowed to Create a PIN is selected, the user may choose to create a PIN or have the system generate the PIN.The user is offered a system generated pin, and if declined, is prompted to enter a PIN.
    3. If Required to Create a PIN is selected, the user must enter a PIN and is prompted to do so when logging in.
  4. Select Allowed to Create a PIN or Required to Create a PIN as you prefer.
  5. Select Assign Token. Click Yes to confirm. The Select Token window appears.
    1. To automatically assign a token, select the method by which you want to sort the token using Sorted by in the Auto Select section. Click Unassigned Token, and then click OK.
    2. To manually select the token, click Select Token from List. In the Select Token window, select the serial number for the token to assign, and click OK.

       SelectAssignToken.png

  6. Give the user the serial number of the assigned token.

The RSA Authentication Manager configuration is now complete.

Configure the Barracuda Web Application Firewall

  1. Add the RSA SecurID server as an Authentication Service on the Barracuda Web Application Firewall
  2. Associate the RSA SecurID Authentication Service with a Service
  3. Configure the authorization policy for the service

Add the RSA SecurID Server as an Authentication Service

On the Barracuda Web Application Firewall web interface, go to ACCESS CONTROL > Authentication Services:

  1. Select the RSA SECURID  tab, and specify values for the following fields:
    1. Realm Name: Enter the realm name.
    2. Server IP: Enter the IP address of the RSA Authentication Server.
    3. Server Port: Default is 1812. If you aren't sure of the port, you can check on the RSA Authentication Manager Server system.
      1. Go to Start > Programs > RSA Security.
      2. Select RSA Authentication Manager Host Mode.
      3. On the Agent Host menu, choose Edit Agent Host to verify the values.
    4. Shared Secret: Provide the same Shared Secret you configured on the RSA Authentication Manager in the Configure the RADIUS Protocol Settings steps.
    5. Timeout: Enter the time the Barracuda Web Application Firewall waits for a response from the RSA RADIUS Server before retransmitting the packet.
    6. Retries: Enter the maximum number of times the Barracuda Web Application Firewall transmits a request packet to the RSA RADIUS server.
  2. Click Add to save your settings.

Associate the RSA SecurID Authentication Service with a Service

On the Barracuda Web Application Firewall web interface, go to the ACCESS CONTROL > Authentication Policies page:

  1. Click Edit Authentication next to the service that you want to associate with the RSA SecurID Authentication Service.
  2. On the Edit Authentication Policy window:
    1. Set Status to On.
    2. From the Authentication Service list, select the RSA SecurID authentication service you created in Add the RSA SecurID Server as an Authentication Service.
    3. Specify values for other parameters, and click Save. For more information on how to configure an authentication policy, click Help .

Configure the Authorization Policy for the Service

On the Barracuda Web Application Firewall web interface, go to the ACCESS CONTROL > Authentication Policies page:

  1. Click Add Authorization next to the service for which you want to configure the authorization policy.
  2. On the Add Authorization Policy window:
    1. Policy Name: Enter a name for the authorization policy.
    2. Status: Set to On.
    3. Specify values for other parameters as required, and click Save. For more information on how to configure an authorization policy, click Help.
  3. Click Edit next to the policy in the Authentication Policies section to configure advanced authorization settings.

                       Advanced_Settings_Auth_Policy.png

If you want users to authenticate using a custom login page when they attempt to access a resource protected by RSA SecurID, use the advanced authorization configuration and set Auth Not Done URL to the custom login URL.

Authorization using RSA is not possible using the RADIUS protocol when communicating with the RSA SecurID Server. Native authorization can be done through the Barracuda Web Application Firewall in this case.

Verify the Setup and Authentication Process

  1. Navigate to the restricted URL by entering the IP address into the address bar of your web browser.
  2. The default authentication page, or the custom login page for authentication if you configured it on ACCESS CONTROL > Authorization, will be presented.
                DefaultLogin.png
  3. Depending on your configuration, you will be prompted to enter your username and password. If configured in Passcode mode, you will be offered a system generated PIN, or instructed to provide a PIN.
                AllowedtoCreatePin.png
    System Generated Pin Screens
                SystemGeneratedPin.png
    User Generated Pin Screens
                UserGeneratedPin.png
  4. To verify your login results, navigate to BASIC > Access Logs on your Barracuda Web Application Firewall and enable the Login column by selecting the Login checkbox under the Detail column.

                Access_Logs.png

 

 

Last updated on