Barracuda VPN RADIUS integration
Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.
Remote Authentication Dial-In User Service (RADIUS) is a protocol commonly used to authenticate, authorize, and account for user access and actions.
Arculix by SecureAuth offers a simple solution for adding MFA to Barracuda VPN via its RADIUS solution. This manual illustrates how to configure both a Barracuda NextGen Firewall device and an Arculix MFA solution.
Prerequisites
Arculix RADIUS Agent that is configured and connected to your user directory. For example, Microsoft Active Directory (AD).
For more information, see the Arculix RADIUS Agent deployment guide.
User account with administrative privileges for the Barracuda NextGen Firewall device.
Arculix RADIUS Agent configuration
To integrate Arculix with your Barracuda NextGen Firewall, you will need to install an Arculix RADIUS Agent on a machine within your network. This server will receive RADIUS requests from your Barracuda NextGen Firewall, check with LDAP server to perform primary authentication, and then contact Arculix cloud service for secondary authentication.
Follow these steps to configure the Arculix RADIUS Agent.
Log in to the Arculix RADIUS Agent as an administrator.
Open the radius-agent-config.env file with an editor.
The file is located in the installed directory of RADIUS Agent. RADIUS clients are configured in this setting.
At the end of the radius-agent-config.env file, set the following configuration for the ARA_CLIENTS attribute:
Note
The values should be separated by semicolons (;).
ARA_CLIENTS = <An optional name for your Barracuda device>; <Internal IP address of your Barracuda device>; <a shared secret>
For example, set:
ARA_CLIENTS = Barracuda;192.168.1.50/32;testing12345
Save the file.
Run the following command to apply the changes:
docker-compose down && docker-compose up -d
Barracuda NextGen Firewall configuration
In this section, you'll configure Barracuda NextGen Firewall as a service provider (SP).
Log in to the Barracuda NextGen Firewall administrative interface using the NextGen Admin client.
Select the CONFIGURATION tab and go to Infrastructure Services > Authentication Service.
Select RADIUS Authentication and click Lock to enable the configuration of a new RADIUS server.
Click the + icon and add the Arculix RADIUS Agent IP address to the list of RADIUS servers.
Enter the shared secret key between the Arculix RADIUS Agent and the Firewall.
Note
The timeout of the RADIUS call is increased to 120 seconds to allow the user enough time to allow the multi-factor request.
Select Send Changes and click Activate to commit the configuration.
Go to Configuration Tree > Virtual Servers and select a virtual server. Click VPN (VPN-Services).
Note
If the VPN entry does not appear, follow these steps to add it to the virtual server before proceeding:
Right-click Assigned Services and select Create Service.
Add a VPN service,
Expand VPN (VPN-Services) and double-click SSL-VPN to open the VPN setup page.
In the Configuration section, select Login.
In the Login section, set Identity Scheme to Radius.
Click Send Changes. Then, click Activate to commit the new configuration.
Test your application integration
Launch the CudaLaunch utility and click Connect.
When prompted, enter your Windows username and password.
The Arculix Mobile app receives a push notification for your approval to log in.
After access is approved, the VPN home page will be displayed.
Troubleshooting
If the authentication fails to work as expected, you can troubleshoot by running the phibstest utility in the command line of the Barracuda NextGen Firewall.
To display the status of the authentication services, run the following command in a command line program:
phibstest s | grep radius
The return should show:
fac_auth_radius_active = 1 fac_auth_radius_busy = 0 fac_auth_radius_error = 0 fac_auth_radius_max = 5 fac_auth_radius_ready = 1 fac_auth_radius_status = Ready
If the status does not display Ready, or there are errors, check the log files located at /phio0/logs/. The relevant logs files are:
box_Control_AuthService.log
box_Firewall_Activity.log
Test reachability of the RADIUS server by running the command below.
Note
If you do not specify the timeout parameter, the call to the RADIUS server will time out after 5 seconds.
phibstest 127.0.0.1 a authscheme=radius server=S1 service=VPN user=WindowsUser password=WindowsPassword timeout=120
If the connectivity is impaired, ensure that your firewall access list allows outbound RADIUS traffic over UDP port 1812.
If the authentication between the firewall and the Arculix RADIUS Agent is failing, ensure that the shared secret is correct.
Support
If you have questions or need assistance, contact SecureAuth Support.
Sales
Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.
Disclaimer
All product names, trademarks, and registered trademarks are the property of their respective owners.
All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.
Barracuda and Barracuda NextGen Firewall are trademarks of Barracuda Networks® and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries.
Microsoft and Active Directory are either registered trademarks or trademarks of Microsoft and/or one or more of its subsidiaries in the United States and/or other countries.