Skip to main content

How do I configure my Barracuda NG Firewall® device in IPSec mode for use with ESET Secure Authentication? - Kennisbank / ESET Secure Authentication - ESET Tech Center

How do I configure my Barracuda NG Firewall® device in IPSec mode for use with ESET Secure Authentication?

Authors list

https://support.eset.com/kb3572

Introduction

This article describes how to configure a Barracuda NG Firewall® device to authenticate users against an ESA Server. Before proceeding, verify that you've installed the RADIUS Server component of ESET Secure Authentication and can access the RADIUS service that allows external systems to authenticate users.

Before your Barracuda NG Firewall® device can use the ESA Server to authenticate users via RADIUS, it must be set up as a RADIUS client on the ESA Server. Next, your server running the ESA RADIUS service must be setup as a RADIUS Server on the Barracuda NG Firewall® device. Once these configurations have been specified, you can start logging into your Barracuda NG Firewall® using ESA OTPs. 

Step I - RADIUS client configuration



The RADIUS protocol requires that access requests to RADIUS servers include the IP address for the RADIUS client (for example, the Barracuda NG Firewall® device).

To allow the Barracuda NG Firewall® device to communicate with your ESA Server, you must configure the device as a RADIUS client on your ESA RADIUS Server:

  1. Launch the ESA Management Console (found under Administrative Tools).
  2. Navigate to RADIUS Servers and locate the hostname of the server running the ESA RADIUS service.
  3. Right-click the hostname and select Add Client from the context menu.
  4. Configure a RADIUS client (see Figure 1-1 below).

Configuring your RADIUS client

  • To prevent locking any existing, non-2FA enabled AD users out of your VPN, we recommend that you allow Active Directory passwords without OTPs during the transitioning phase. It is also recommended that you limit VPN access to a security group (for example VPNusers).
  • Make sure that the check box next to Mobile Application is selected.
  • Select the check box next to Compound Authentication (passwordOTP).

Figure 1-1
Click the image to view larger in new window

  1. Click OK. Restart the RADIUS service from the Services control panel when you are prompted.

ESA has now been configured to communicate with the Barracuda NG Firewall ®. You must now configure the Barracuda NG Firewall ® device to communicate with the ESA Server.

 

Step II - Configure RADIUS Authentication on your Barracuda NG Firewall® device


  1. Log into the NG Firewall® using NGAdmin.
  2. Navigate to Config → Config Tree → Box\Infrastructure Services\Authentication Service.
  3. Select RADIUS Authentication and then select Yes from the Activate Scheme drop-down menu (see Figure 2-1).
  4. Click to add a new RADIUS Server (see Figure 2-1 and Figure 2-2 below).

Figure 2-1
Click the image to view larger in new window

  1. Type your ESA Server IP address and Radius Server Key (your Shared Secret from Figure 1-1) into the Radius Server Address and RadiusServer Key fields, respectively.

Figure 2-2
Click the image to view larger in new window

Step III - Configure Group Policy options


  1. Navigate to Config → Config Tree → Box\Virtual Servers\[Your Virtual Server name]\VPN Service\Client to Site\.
  2. Click the External CA tab → Click here for options.

Figure 3-1
Click the image to view larger in new window

  1. Select radius from the Authentication Scheme drop-down menu.

Figure 3-2
Click the image to view larger in new window

Step IV - Test the connection


  1. Run Barracuda VPN Client®.
  2. Choose your VPN profile and enter the credentials of your test user. Please ensure that you are using an account with Mobile Application 2FA using ESA enabled. In the password field, append the OTP generated by the Mobile Application to your AD password. For example, if the user has an AD password of Pa$$w0rd and an OTP of 616623, you should type Pa$$w0rd616623.

 

Troubleshooting



If you are unable to authenticate via the ESA RADIUS server, check your Barracuda NG Firewall® logs for any errors. To view these logs navigate to Logs and open the log file Box\Control\AuthService.

If consulting your logs does not enable you to authenticate via the ESA RADIUS server, ensure you have performed the following steps:

  1. Run a smoke test against your RADIUS server, as per the Verifying ESA RADIUS Functionality.
  2. If no faults were fixed and you are still unable to connect, revert to an existing sign-in configuration (that does not use 2FA) and verify that you are able to connect
  3. If you are still unable to connect, contact ESET technical support.

Add a comment

Please log in or register to submit a comment.

Need a password reminder?