Knowledgebase business article search

How do I configure my Barracuda SSL VPN™ device for use with ESET Secure Authentication?

Details

The Barracuda SSL VPN™ is an integrated hardware and software solution enabling secure, clientless remote access to internal network resources from any web browser and, with ESET Secure Authentication (ESA), is easily made more secure with a second authentication factor.

Solution

Introduction

This article describes how to configure a Barracuda SSL VPN™ to authenticate users against an ESA Server. Before proceeding, verify that you've installed the RADIUS Server component of ESET Secure Authentication and can access the RADIUS service that allows external systems to authenticate users.

Before your Barracuda SSL VPN™ device can use the ESA Server to authenticate users via RADIUS, it must be set up as a RADIUS client on the ESA Server. Next, your server running the ESA RADIUS service must be setup as a RADIUS Server on the Barracuda SSL VPN™ device. Once these configurations have been specified, you can start logging into your Barracuda SSL VPN™ using ESA OTPs.

NOTE:

This integration guide utilizes VPN does not validate AD user name and password VPN type for this particular VPN appliance. If you wish to utilize other VPN type, refer to generic description of VPN types and verify with the vendor if the VPN appliance supports it.

Step I - RADIUS client configuration



The RADIUS protocol requires that access requests to RADIUS servers include the IP address for the RADIUS client (for example, the Barracuda SSL VPN™ device).

To allow the Barracuda SSL VPN™ device to communicate with your ESA Server, you must configure the device as a RADIUS client on your ESA RADIUS Server:

  1. Launch the ESA Management Console (found under Administrative Tools).
  2. Navigate to RADIUS Servers and locate the hostname of the server running the ESA RADIUS service.
  3. Right-click the hostname and select Add Client from the context menu.
  4. Configure a RADIUS client (see Figure 1-1).

Configuring your RADIUS client

  • To prevent locking any existing, non-2FA enabled AD users out of your VPN we recommend that you allow Active Directory passwords without OTPs during the transitioning phase. It is also recommended that you limit VPN access to a security group (for example VPNusers).
  • Make sure that the check box next to Mobile Application is selected.

Figure 1-1

ESA has now been configured to communicate with the Barracuda SSL VPN™ device. You must now configure the Barracuda SSL VPN™ device to communicate with the ESA Server. First, create a new authentication scheme, then configure the settings for your RADIUS server.

Step II - Create a new authentication scheme



To create the new authentication scheme shared secret, follow the steps below:

  1. Log in to your Barracuda admin interface
  2. Click on Access Control Authentication Schemes
  3. Create a new scheme, using the following values:

    Name: "ESA RADIUS"
    Selected Modules: Add "RADIUS" from the "Available Modules" list
    Selected Policies: Add your applicable policies from the "Available Policies" list
  4. Click Add.

Step III - Configure the settings for your RADIUS server



While still in the admin interface, follow the steps below:

  1. Click on Access Control Configuration
  2. In the RADIUS section, set the parameters shown below to the following values:

    RADIUS Server: The IP address of your ESA RADIUS server
    Authentication Port: 1812
    Backup RADIUS servers: Add any redundant ESA RADIUS servers you have set up, or leave blank otherwise
    Shared Secret: The same shared secret that you defined in Part I
    Authentication Method: PAP
    Time out: 30
    Authentication Retries: 2
    Reject challenge: No
  3. Click Save Changes
  4. Test the setup by navigating to the URL that you normally use for SSL VPN logins. Enter the credentials of your test user:

    - Ensure that you are using a user that has been enabled for Mobile Application 2FA using ESA
    - In the password field, append the OTP generated by the Mobile Application to your AD password. For example, if the user has an AD password of "Blink182" and an OTP of 999111, type in Blink182999111

Troubleshooting



If you are unable to authenticate via the ESA RADIUS server, ensure you have performed the following steps:

  1. Run a smoke test against your RADIUS server, as per the Verifying ESA RADIUS Functionality.
  2. If no faults were fixed and you are still unable to connect, revert to an existing sign-in configuration (that does not use 2FA) and verify that you are able to connect
  3. If you are still able to connect using the old settings, restore the new settings and verify that there is no firewall blocking UDP 1812 between you VPN device and your RADIUS server
  4. If you are still unable to connect, contact ESET technical support.

 



Was this information helpful?