Specifications
After you add the user database, it appears in the section on the bottom of the page.User Databases
Authentication Schemes
To authenticate users with more than just their usernames and passwords, configure authentication schemes. Every authentication scheme
comprises at least one authentication module, such as PINs, passwords, certificates, or one-time-passwords. You can add as many
authentication modules as your security policy requires. You can also configure a secure, default authentication method and offer users an
alternative method to log in. For example, you can require users to use their hardware token with client certification for normal logins, but allow
them to log in with a password and PIN code if they are using a computer that cannot use hardware tokens.
Some authentication modules must be used with other authentication modules. These modules are referred to as "secondary" authentication
modules because they require user information. Some modules can be used as primary or secondary authentication modules. The following table
lists the type of each available authentication module :
Authentication Module Type
Client Certificate Primary/Secondary
IP Address Primary/Secondary
Password Primary/Secondary
PIN Primary/Secondary
Public Key Primary/Secondary
RADIUS Primary/Secondary
OTP (One-Time Passwords) Secondary
Personal Questions Secondary
Client Certificate
The Client validates an SSL client certificate installed in the browser's certificate store against the root certificate that is Certificate module
uploaded to the Barracuda SSL VPN. The SSL client certificate can be installed manually, per Active Directory policy, or with a hardware token
using the vendor's utility. It is recommended that you use the Client as a secondary module, because it authenticates the Certificate module
browser and not the user directly. This is not the case when using hardware tokens or SSL client certificates containing user information that is
checked when processing the login.
For more information, see . How to Configure SSL Client Certificate Authentication
IP Address
The IP Address module is useful when users always log in from the same computer with the same IP address. You must manually specify the
allowed IP address for every user. If a user tries to authenticate from a computer with a different IP address, the login attempt is denied.
To configure the IP Address module, go to the page and specify the allowed IP address for each user. To let aACCESS CONTROL > Accounts
user log in from any IP address, enter an asterisk ( ). *
Password
Password authentication is the classic authentication module and is used for almost every account. Passwords can be used either from external
authentication sources, such as an Active Directory server, or from the built-in user database. You can define a password policy to ensure that
only safe passwords are used. Passwords for external authentication methods can only be if the appliance has read/write access.changed
For more information on external authentication, see . How to Create and Modify User Databases
PIN
A PIN is a numeric password. Its length is configurable and usually varies between four and six digits. You can let users create their PINs during
initial logins, or you can manually assign . After a PIN's configured lifetime, it expires and the user is asked to create a new PIN during thePINs
next login. To prevent weak PINs, disable the use of sequential numbers (e.g., 1234).
To configure the PIN module, go to the section on the page. PIN ACCESS CONTROL > Security Settings