After you add the user database, it appears in the
section on the bottom of the page.
User Databases
Authentication Schemes
To authenticate users with more than just their usernames and passwords, configure authentication schemes. Every authentication scheme
comprises at least one authentication module, such as PINs, passwords, certificates, or one-time-passwords. You can add as many
authentication modules as your security policy requires. You can also configure a secure, default authentication method and offer users an
alternative method to log in. For example, you can require users to use their hardware token with client certification for normal logins, but allow
them to log in with a password and PIN code if they are using a computer that cannot use hardware tokens.
Some authentication modules must be used with other authentication modules. These modules are referred to as "secondary" authentication
modules because they require user information. Some modules can be used as primary or secondary authentication modules. The following table
lists the type of each available authentication module :
Authentication Module
Type
Primary/Secondary
Primary/Secondary
Primary/Secondary
Primary/Secondary
Primary/Secondary
Primary/Secondary
Secondary
Secondary
Client Certificate
The Client
validates an SSL client certificate installed in the browser's certificate store against the root certificate that is
Certificate module
uploaded to the Barracuda SSL VPN. The SSL client certificate can be installed manually, per Active Directory policy, or with a hardware token
using the vendor's utility. It is recommended that you use the Client
as a secondary module, because it authenticates the
Certificate module
browser and not the user directly. This is not the case when using hardware tokens or SSL client certificates containing user information that is
checked when processing the login.
For more information, see
How to Configure SSL Client Certificate Authentication
IP Address
The IP Address module is useful when users always log in from the same computer with the same IP address. You must manually specify the
allowed IP address for every user. If a user tries to authenticate from a computer with a different IP address, the login attempt is denied.
To configure the IP Address module, go to the
page and specify the allowed IP address for each user. To let a
ACCESS CONTROL > Accounts
user log in from any IP address, enter an asterisk ( ).
*
Password
Password authentication is the classic authentication module and is used for almost every account. Passwords can be used either from external
authentication sources, such as an Active Directory server, or from the built-in user database. You can define a password policy to ensure that
only safe passwords are used. Passwords for external authentication methods can only be
if the appliance has read/write access.
changed
For more information on external authentication, see
.
How to Create and Modify User Databases
PIN
A PIN is a numeric password. Its length is configurable and usually varies between four and six digits. You can let users create their PINs during
initial logins, or you can manually assign
. After a PIN's configured lifetime, it expires and the user is asked to create a new PIN during the
PINs
next login. To prevent weak PINs, disable the use of sequential numbers (e.g., 1234).
To configure the PIN module, go to the
section on the
page.
PIN
ACCESS CONTROL > Security Settings