In addition to local user authentication, you can add an external authentication server (AD, LDAP, Radius, or RSA) which is bound to the SSL gateway. All users with accounts on the bound authentication server will be authenticated.

The maximum time to authenticate over SSL VPN is 3 minutes. This is because non-authentication timeout is 3 minutes and is not a configurable property. So in scenarios where AD authentication timeout is set to more than 3 minutes or there are multiple authentication servers in chain authorization and the time taken for user authentication is more than 3 minutes, you will not be authenticated.

Procedure

  1. In the SSL VPN-Plus tab, select Authentication from the left panel.
  2. Click the Add (Add icon) icon.
  3. Select the type of authentication server.
  4. Depending on the type of authentication server you selected, complete the following fields.
    • AD authentication server
      Table 1. AD Authentication Server Options
      Option Description
      Enable SSL Enabling SSL establishes an encrypted link between a web server and a browser.
      Note: There might be issues if you do not enable SSL and try to change password using SSL VPN-Plus tab or from client machine later.
      IP Address IP address of the authentication server.
      Port Displays default port name. Edit if required.
      Timeout Period in seconds within which the AD server must respond.
      Status Select Enabled or Disabled to indicate whether the server is enabled.
      Search base Part of the external directory tree to search. The search base may be something equivalent to the organizational unit (OU), domain controller (DC), or domain name (AD) of external directory.

      Examples:

      • OU=Users,DC=aslan,DC=local
      • OU=VPN,DC=aslan,DC=local
      Bind DN User on the external AD server permitted to search the AD directory within the defined search base. Most of the time, the bind DN is permitted to search the entire directory. The role of the bind DN is to query the directory using the query filter and search base for the DN (distinguished name) for authenticating AD users. When the DN is returned, the DN and password are used to authenticate the AD user.

      Example: CN=ldap.edge,OU=users,OU=Datacenter Users,DC=aslan,DC=local

      Bind Password Password to authenticate the AD user.
      Retype Bind Password Retype the password.
      Login Attribute Name Name against which the user ID entered by the remote user is matched with. For Active Directory, the login attribute name is sAMAccountName.
      Search Filter Filter values by which the search is to be limited. The search filter format is attribute operator value.

      If you need to limit the search base to a specific group in the AD and not allow searching across the entire OU, then

      • Do not put group name inside the search base, only put OU and DC.
      • Do not put both objectClass and memberOf inside the same search filter string. Example of correct format for the search filter: memberOf=CN=VPN_Users,OU=Users,DC=aslan,DC=local
      Use this server for secondary authentication If selected, this AD server is used as the second level of authentication.
      Terminate Session if authentication fails When selected, the session is ended if authentication fails.
    • LDAP authentication server
      Table 2. LDAP Authentication Server Options
      Option Description
      Enable SSL Enabling SSL establishes an encrypted link between a web server and a browser.
      IP Address IP address of the external server.
      Port Displays default port name. Edit if required.
      Timeout Period in seconds within which the AD server must respond.
      Status Select Enabled or Disabled to indicate whether the server is enabled.
      Search base Part of the external directory tree to search. The search base may be something equivalent to the organization, group, or domain name (AD) of external directory.
      Bind DN User on the external server permitted to search the AD directory within the defined search base. Most of the time, the bind DN is permitted to search the entire directory. The role of the bind DN is to query the directory using the query filter and search base for the DN (distinguished name) for authenticating AD users. When the DN is returned, the DN and password are used to authenticate the AD user.
      Bind Password Password to authenticate the AD user.
      Retype Bind Password Retype the password.
      Login Attribute Name Name against which the user ID entered by the remote user is matched with. For Active Directory, the login attribute name is sAMAccountName.
      Search Filter Filter values by which the search is to be limited. The search filter format is attribute operator value.
      Use this server for secondary authentication If selected, this server is used as the second level of authentication.
      Terminate Session if authentication fails When selected, the session is ended if authentication fails.
    • RADIUS authentication server

      RADIUS authentication is disabled in FIPS mode.

      Table 3. RADIUS authentication server options
      Option Description
      IP Address IP address of the external server.
      Port Displays default port name. Edit if required.
      Timeout Period in seconds within which the AD server must respond.
      Status Select Enabled or Disabled to indicate whether the server is enabled.
      Secret Shared secret specified while adding the authentication agent in the RSA security console.
      Retype secret Retype the shared secret.
      NAS IP Address IP address to be configured and used as RADIUS attribute 4, NAS-IP-Address, without changing the source IP address in the IP header of the RADIUS packets.
      Retry Count Number of times the RADIUS server is to be contacted if it does not respond before the authentication fails.
      Use this server for secondary authentication If selected, this server is used as the second level of authentication.
      Terminate Session if authentication fails When selected, the session is ended if authentication fails.
    • RSA-ACE authentication server

      RSA authentication is disabled in FIPS mode.

      Table 4. RSA-ACE authentication server options
      Option Description
      Timeout Period in seconds within which the AD server must respond.
      Configuration File Click Browse to select the sdconf.rec file that you downloaded from the RSA Authentication Manager.
      Status Select Enabled or Disabled to indicate whether the server is enabled.
      Source IP Address IP address of the NSX Edge interface through which the RSA server is accessible.
      Use this server for secondary authentication If selected, this server is used as the second level of authentication.
      Terminate Session if authentication fails When selected, the session is ended if authentication fails.
    • Local authentication server
      Table 5. Local authentication server options
      Option Description
      Enable password policy If selected, defines a password policy. Specify the required values.
      Enable password policy If selected, defines an account lockout policy. Specify the required values.

      1. In Retry Count, type the number of times a remote user can try to access his or her account after entering an incorrect password.

      2. In Retry Duration, type the time period in which the remote user's account gets locked on unsuccessful login attempts.

        For example, if you specify Retry Count as 5 and Retry Duration as 1 minute, the remote user's account will be locked if he makes 5 unsuccessful login attempts within 1 minute.

      3. In Lockout Duration, type the time period for which the user account remains locked. After this time, the account is automatically unlocked.

      Status Select Enabled or Disabled to indicate whether the server is enabled.
      Use this server for secondary authentication If selected, this server is used as the second level of authentication.
      Terminate Session if authentication fails When selected, the session is ended if authentication fails.
  5. (Optional) Add client certificate authentication.
    1. Next to Certificate Authentication, click Change.
    2. Select the Enable client certificate authentication check box.
    3. Select a client certificate issued by the Root CA and click OK.
      Restriction:
      • On the SSL VPN-Plus Web Portal and SSL VPN-Plus full access client (PHAT client), client or user certificate that is signed only by the Root CA is supported. Client certificate signed by an Intermediate CA is not supported.
      • Client certificate authentication is supported only on an SSL VPN-Plus client that is installed on a Windows computer. This authentication is not supported on an SSL VPN-Plus client that is installed on Linux and Mac computers.